Memo 2015 2Nd International Workshop on Meta Models for Process Languages

MeMo 2015 2nd International Workshop on Meta Models for Process Languages

Grenoble, June 5, 2015 Part of DisCoTec 2015 Preface

This volume contains the papers presented at the 2nd International Workshop on Meta Models for Process Languages (MeMo 2015) held on June 5, 2015 in Grenoble. This edition follows the first one, which has been held at DisCoTec 2014 in Berlin. Metamodels are framework theories aiming to provide general, structural results simplifying and driving the development of models of specific systems and languages. There are frameworks for operational semantics (such as GSOS, graph rewriting systems, Milner’s bigraphs, coalgebras), for denotational semantics (such as algebraic/bialgebraic specifications, monads, enriched Lawvere theories, mathematical operational semantics), and for logical semantics (such as metalanguages for deductive systems, i.e. Logical Frameworks). The boundaries between these metamodels are blurred, and techniques and ideas from one can be reapplied to the others. The goal of the MeMo workshop is to bring together researchers working on and with metamodels, with the aim to share insights, uncover similarities and di↵erences, foster cross-fertilization and stimulate further research. Hence, MeMo solicits contributions in the theory and applications of metamodels: theoretical results, tool implementations, real-world applications, case studies, new application areas, integration of meta-models with programming languages, etc. At MeMo 2015 we had 5 contributions overall, ranging from structural operational semantics for graph transformation systems, to modal logics for systems with names; from the derivation of labelled transition systems from soft constraint systems, to applications of stochastic bigraphs to the modelization of wireless mesh networks. The program also includes an invited talk by Michele Loreti titled ULTraS of FuTS, which are two metamodels for labelled transition systems with quantitative aspects. I would like to thank the authors for their interest in MeMo, the members of the Program Committee for reviewing the submissions, the Organizing Commit- tee (Søren Debois and Thomas Hildebrandt) and the DisCoTec 2015 organizing committee for their support in the organization of this workshop.

May 15, 2015 Marino Miculan Udine MeMo 2015 PC chair

v Table of Contents

ULTraS of FuTS ...... 1 Michele Loreti Towards a Channels Allocation Scheme Model for WMNs based on SBRS with Sharing ...... 5 Rachida Boucebsi and Faiza Belala

Structured Operational Semantics for Graph Rewriting ...... 18 Tobias Heindel and Andrei Dorman Computing approximations for graph transformation systems ...... 1933 Ricardo Honorato-Zimmer, Tobias Heindel, Vincent Danos and Sandro Stucki Modal Logics for Nominal Transition Systems ...... 3044 Joachim Parrow, Johannes Borgstr¨om, Lars-Henrik Eriksson, Ramu- nas Gutkovas and Tjark Weber Recovering a Labelled Semantics for Soft CCP with Local Variables ..... 4862 Fabio Gadducci and Francesco Santini

vi Program Committee

Patrick Bahr Department of Computer Science, University of Copenhagen Iliano Cervesato Carnegie Mellon University Vincenzo Ciancia Istituto di Scienza e Tecnologie dell’Informazione “A. Faedo”, Consiglio Nazionale delle Ricerche, Italy Søren Debois IT University of Copenhagen Fabio Gadducci Dipartimento di Informatica, Universit`adi Pisa Tobias Heindel LFCS, University of Edinburgh Thomas Hildebrandt IT University of Copenhagen Marino Miculan DiMI, University of Udine Joachim Parrow Uppsala University Jan Rutten CWI Pawel Sobocinski University of Southampton

vii ULTraS of FuTS

Michele Loreti Dipartimento di Statistica, Informatica, Applicazioni “G. Parenti” Universita` di Firenze [email protected]

Labeled transition systems are typically used as behavioural models of concurrent processes. Their labeled transitions define a one-step state-to-state reachability relation. This model can be generalised by modifying the transition relation to associate a state reachability distribution with any pair consisting of a source state and a transition label. Each transition becames a triple of the form (s,↵,P). The first and the second components are the source state, s, and the label, ↵, of the transition, while the third component, P, is the state reachability distribution, or continuation function, associating a value of a suitable type to each state s0. Values are taken from a preordered set equipped with a minimum that denotes unreachability. By selecting suitable preordered sets, the resulting model can be specialised to capture well-known models of nondeterministic/probabilistic/stochastic processes. For example, in the case of stochastic process algebras the value of the continuation function on s0 represents the rate of the negative exponential distribution characterising the duration/delay of the action performed to reach state s0 from s. This uniform treatment of di↵erent behavioural models extends to behavioural equivalences. They can be defined by relying on appropriate measure functions that express the degree of reachability of a set of states when performing multi-step computations. A uni- fying framework to provide the semantics of process algebras, including their quantitative variants, can be also defined.

Process algebras (see [1] and references therein) have been successfully used in the last thirty years to model and analyse the behaviour of concurrent systems. Apart from specific syntactic operators used to define the term algebra, the basic ingredients of these formalisms are the model called labeled transition system (LTS) [13] and behavioural relations in the form of equivalences or preorders. By exploiting the structural operational semantic approach [15], an LTS is compositionally associated with each term and behavioural relations over LTS models are introduced to compare process terms describing systems at di↵erent levels of abstraction and to investigate properties of interest. Initially, process algebras were mainly designed to model and assess functional behaviours. However, it was soon noticed that other aspects of concurrent systems are at least as important as the functional ones. Thus, many variants of process algebras have been introduced to take into account quantitative aspects of concurrent systems. There have been proposals of (deterministically) timed process algebras, probabilistic process algebras, and stochastic(ally timed) process algebras, whose semantics have been rendered in terms of richer LTS models quotiented with appropriate behavioural relations. In order to provide a uniform account of di↵erent fully stochastic calculi, in [7], a variant of LTSs, namely Rate Transition Systems (RTSs), have been proposed. This model is inspired by the approach taken when modelling probabilistic systems via probabilistic automata, where operators derived from those of the process calculi are applied to probability distributions, as e.g. in [10]. In LTSs, a transition is a triple (P,↵, P0) where P is the source state, ↵ is the label of the transition, and P0 is the target state reached from P via ↵. On the other hand, in RTSs a transition is a triple of the form (P,↵,P), whose first and second component are again the source state and the transition label, but the third component P is the continuation function that associates a real non-negative value with each state P0. A non-zero value represents the rate of the exponential distribution characterising the time needed for the execution

c Michele Loreti Submitted to: This work is licensed under the MEMO 2015 Creative Commons Attribution License. 2 ULTraS of FuTS

of the action represented by ↵, necessary to reach P0 from P via the transition. Whenever P(P0) = 0, P0 is not reachable from P via ↵. RTS continuation functions are equipped with a rich set of operations which make RTSs particularly suitable as a framework for the compositional deﬁnition of fully stochastic calculi. In [8] a generalisation RTSs [7], named State to Function Labeled Transition Systems,FuTSs for short, has been proposed. FuTSs have generic commutative semi-rings, and not just the set of non- negative reals, as co-domain of continuation functions. The semi-ring structure of the co-domain preserves basic properties of primitive operations like sum and multiplication, which prove very useful when modelling composition of rates resulting from (parallel, non-deterministic, sequential) process compositions. Continuation functions are equipped with a rich set of (generic) operations, making FuTSs very well suited as a semantic domain for the compositional deﬁnition of the operational semantics of process calculi. FuTSs thus support a uniform and systematic understanding of similarities and di↵erences of the many stochastic calculi proposed in the literature [8]. In [3], another step in the direction of a uniform characterisation of the semantics of di↵erent process calculi by developing a generalisation of RTS models. The model proposed in [3] is called ULTraS from Uniform Labeled Transition Systems. Its transition relation associates with any pair of source state and transition label (s,a) a function mapping each possible target state into an element of the support D D a of a preordered set equipped with a minimum denoted by . Given a transition s , the value of ?D ! D (s ) expresses the degree of one-step reachability of s from s via that a-transition; if (s ) = then D 0 0 D 0 ?D s0 is not reachable from s via that a-transition. The ULTraS model can be used to capture di↵erent classes of processes by appropriately choosing D. In particular, we will see that we capture: 1. Fully nondeterministic processes, if D is the support set B = , of the traditional Boolean {? >} algebra. 2. Fully probabilistic processes and processes combining nondeterminism and probability, if D = R[0,1].

3. Fully stochastic processes and processes combining nondeterminism and stochasticity, if D = R 0. Modelling state transitions and their annotations is only one of the key ingredients of the description of concurrent processes. One must also combine single transitions into computations and find out ways for determining when two states give rise to behaviourally equivalent computation trees. In [3], the three major approaches to the development of behavioural equivalences are considered and used to define bisimulation, trace, and testing equivalences for the ULTraS model. An important component of definitions of the three equivalences for ULTraS is a measure function (s,↵,S ) that returns elements of the support M of another preordered set equipped with a minimum. MM 0 This function computes the degree of multi-step reachability of a set of target states S 0 from a source state s when performing computations labeled with the sequence of actions ↵. To capture classical equivalences for the di↵erent classes of processes, di↵erent measure functions are needed: 1. For nondeterministic processes, the measure of a computation from s to S labeled with ↵ is if 0 > the computation exists and otherwise. ? 2. For probabilistic processes, the measure function yields a value in R[0,1] that represents the probability of the set of computations from s to S 0 labeled with ↵. 3. For stochastic processes, to capture the di↵erent equivalences proposed in the literature, one has to distinguish two cases: Michele Loreti 3

In the end-to-end case, given a time threshold t R 0, the measure function yields a value in • 2 R[0,1] that represents the probability that the set of computations labeled with ↵ leads from s to S 0 within t time units.

In the step-by-step case, given a sequence of time thresholds ti R 0, the measure function • 2 yields a value in R[0,1] that represents the probability that the set of computations labeled with ↵ leads from s to S 0 within ti time units for each step i.

One of the main objectives of [3] was to asses the di↵erent choices that have been presented in the literature in the last twenty years for generalising behavioural equivalences over LTS models to richer models. It is interesting to see which of them are naturally captured by ULTraS and which ones need, instead, an ad hoc treatment. One can then observe that, as long as only models that deal with purely nondeterministic, purely probabilistic, or purely stochastic processes are considered, the known (and generally accepted) equivalences are directly captured. For models that combine probability or stochasticity with nondeterminism, the situation is less straightforward. There are many di↵erent ways of interpreting such combinations that influence the way behavioral equivalences are defined, leading to an explosion of potential approaches. Interestingly enough, for mixed processes ULTraSs lead to new equivalences that were not known in the literature. More precisely, the variant of probabilistic bisimulation equivalence, which has been studied in [5], has a strong connection with PML, the simple probabilistic extension of Hennessy-Milner logic that is in agreement with probabilistic bisimilarity for probabilistic processes without internal nondeterminism [14]. In contrast, the probabilistic bisimulation equivalence in [18] corresponds to a much richer modal logic with a specific operator for capturing probability measures of states reachability [11]. Moreover, the variant of probabilistic testing equivalence, which has been studied in [2, 4], is a conser- vative extension of the nondeterministic testing equivalence in [6] also when both nondeterministic and probabilistic tests are used, and implies probabilistic trace equivalence also under deterministic sched- ulers. This is not the case with the probabilistic testing equivalences in [19, 12, 17, 9]. Finally, the variant of probabilistic trace equivalence, which has been studied in [2, 4], is a congruence with respect to parallel composition, while the probabilistic trace equivalence in [16] is not compositional.

References

[1] J.A. Bergstra, A. Ponse & S.A. Smolka (editors) (2001): Handbook of Process Algebra. Elsevier. [2] M. Bernardo, R. De Nicola & M. Loreti (2012): Revisiting Trace and Testing Equivalences for Nondetermin- istic and Probabilistic Processes. In: Proc. of the 15th Int. Conf. on Foundations of Software Science and Computation Structures (FOSSACS 2012), LNCS 7213, Springer, pp. 195–209. [3] Marco Bernardo, Rocco De Nicola & Michele Loreti (2013): A uniform framework for modeling nondeterministic, probabilistic, stochastic, or mixed processes and their behavioral equivalences. 225, pp. 29–82, doi:10.1016/j.ic.2013.02.004. Available at http://dx.doi.org/10.1016/j.ic.2013.02.004. [4] Marco Bernardo, Rocco De Nicola & Michele Loreti (2014): Revisiting Trace and Testing Equivalences for Nondeterministic and Probabilistic Processes. 10, doi:10.2168/LMCS-10(1:16)2014. Available at http: //dx.doi.org/10.2168/LMCS-10(1:16)2014. [5] Marco Bernardo, Rocco De Nicola & Michele Loreti (2015): Revisiting bisimilarity and its modal logic for nondeterministic and probabilistic processes. Acta Inf. 52(1), pp. 61–106, doi:10.1007/s00236-014-0210-1. Available at http://dx.doi.org/10.1007/s00236-014-0210-1. [6] R. De Nicola & M. Hennessy (1984): Testing Equivalences for Processes. Theoretical Computer Science 34, pp. 83–133. 4 ULTraS of FuTS

[7] R. De Nicola, D. Latella, M. Loreti & M. Massink (2009): Rate-based Transition Systems for Stochastic Process Calculi. In Albers S., A. Marchetti-Spaccamela, Y. Matias, S. Nikoletseas & W. Thomas, editors: Automata, Languages and Programming. Part II, LNCS 5556, Springer-Verlag, pp. 435–446. ISBN 978-3- 642-02929-5. [8] Rocco De Nicola, Diego Latella, Michele Loreti & Mieke Massink (2013): A uniform definition of stochastic process calculi. ACM Comput. Surv. 46(1), p. 5, doi:10.1145/2522968.2522973. Available at http://doi. acm.org/10.1145/2522968.2522973. [9] Y. Deng, R.J. van Glabbeek, M. Hennessy & C. Morgan (2008): Characterising Testing Preorders for Finite Probabilistic Processes. Logical Methods in Computer Science 4(4:4), pp. 1–33. [10] Y. Deng, R. van Glabbeek, M. Hennessy, C. Morgan, & C. Zhang (2007): Characterising testing preorders for finite probabilistic processes. In: IEEE Symposium on Logic in Computer Science, IEEE, Computer Society Press, pp. 313–325. [11] H. Hermanns, A. Parma, R. Segala, B. Wachter & L. Zhang (2011): Probabilistic Logical Characterization. Information and Computation 209, pp. 154–172. [12] B. Jonsson & W. Yi (1995): Compositional Testing Preorders for Probabilistic Processes. In: Proc. of the 10th IEEE Symp. on Logic in Computer Science (LICS 1995), IEEE-CS Press, pp. 431–441. [13] R.M. Keller (1976): Formal Verification of Parallel Programs. Communications of the ACM 19, pp. 371– 384. [14] K.G. Larsen & A. Skou (1991): Bisimulation Through Probabilistic Testing. Information and Computation 94, pp. 1–28. [15] G.D. Plotkin (2004): A Structural Approach to Operational Semantics. Journal of Logic and Algebraic Programming 60/61, pp. 17–139. [16] R. Segala (1995): A Compositional Trace-Based Semantics for Probabilistic Automata. In: Proc. of the 6th Int. Conf. on Concurrency Theory (CONCUR 1995), LNCS 962, Springer, pp. 234–248. [17] R. Segala (1996): Testing Probabilistic Automata. In: Proc. of the 7th Int. Conf. on Concurrency Theory (CONCUR 1996), LNCS 1119, Springer, pp. 299–314. [18] R. Segala & N.A. Lynch (1994): Probabilistic Simulations for Probabilistic Processes. In: Proc. of the 5th Int. Conf. on Concurrency Theory (CONCUR 1994), LNCS 836, Springer, pp. 481–496. [19] W. Yi & K.G. Larsen (1992): Testing Probabilistic and Nondeterministic Processes. In: Proc. of the 12th Int. Symp. on Protocol Specification, Testing and Verification (PSTV 1992), North-Holland, pp. 47–61. Towards a Channels Allocation Scheme Model for WMNs based on SBRS with Sharing

Rachida Boucebsi Faiza Belala LIRE Laboratory, Constantine2-Abdelhamid Mehri University, Algeria [email protected] [email protected]

The use of formal methods is an effective means to improve the reliability and the capacity of Wire- less Mesh Networks. Indeed, the novel technology of WMNs doesnotdenysomelimitationsim- posed by their wireless multi-hop nature. The purpose of thisworkistoadaptoneofthesemethods to model the WMNs, so that the routing algorithms development, related to this network kind can benefit from it. We propose a formal semantic framework, basedontheStochasticBigraphicalRe- active Systems with sharing (SBRS with sharing), for modeling all entities of the WMN network topology on the one hand, and an efficient and analyzable channel allocation process (CA), in a multi-interfaces/multi-channels environment, on the other hand. Thus, we lean on SBRS model to give a precise and sufficient semantics to WMNs. We gather together the nodes that interfere, exploiting the SBRS features, as the Parent function and the nodes sharing, then we elaborate a set of reaction rules, labeled with rates that express stochastic evolutions of the WMN network while running the CA algorithm. Moreover, our formal model is executedandsimulatedundertheBigraphER environment dedicated to the verification and the simulationofthespecifiedsystems.

1Introduction

Wireless Mesh Networks (WMNs) is an emerging wireless technology which attracts more and more attention of service providers and enterprises, they constitute a very pleasant support for communication due to their ﬂexibility, ease of deployment and minimized costs. Besides, they provide a means of communication for a variety of applications with different service quality requirements in terms of delay, throughput, reliability, conﬁdentiality, etc. In particular, WMNs deployment can cover a wide networks area. They are used to connect multiple LANs wireless; only availability of routers is required. Thus, several wireless technologies support this type of communication, for instance, IEEE802.11 (for Wire- less Local Area Networks, WLAN), IEEE802.15.4 (for WirelessPersonalAreaNetworks,WPAN)and IEEE802.16 (for Wireless Metropolitan Area Networks, WMAN). This network type has a mesh architecture where all routers are connected with no central hierarchy. Each node may act as sender, receiver or relay. Thus, every communication between a source node andadestinationoneisdonethroughmul- tiple hops. WMNs form two-tier architecture, which is mainlycompoundofMeshrouters,Meshclients and Mesh Gateways, see Figure 1. Thanks to independent Mesh routers organization, these entities can form a mesh backbone networks (Backbone). In addition, they maintain the network connectivity and perform the routing process. Gen- erally, Mesh routers are equipped with several radio interfaces for their connection and one interface for the devices connecting. A Mesh router equipped with a bridge Getaway may include several network accesses, such as the Internet network. Although WMNs have many advantages, several problems persist, such as the security problem, the routing one and the quality of service (QoS), etc. Therefore,thisnetworktypedoesnotsufferfrom

⃝c Rachida Boucebsi , Faiza Belala Submitted to: This work is licensed under the MeMo 2015 Creative Commons Attribution License. 26 Towards Channels Allocation Scheme Model for WMNs based on SBRS with Sharing

Figure 1: A Generic Architecture of WMN

typical problems often encountered in the other wireless networks as energy consumption for sensor networks and mobility for MANET ones. However, as they are multi-hop wireless networks, they invoke other problem kinds, mainly the interference issue which affects their performances and causes the flow degradation and the node overloading. This phenomenon is undesirable since it affects directly the communications occurring in the same area and on the similar or converged channels. To tackle this problem, some existing works opt to use multiple radio interfaces and multiple channels on one hand, and duplicate paths between the source and the destination nodes to spread data traffic across multiple paths, on the other hand. But, we should note that twoneighboringnodescannotcommunicate unless their radios share the same channel. However, the reuse of the same channel in a neighborhood must be limited. Simultaneous transmissions on the same channel may cause collisions and lead to throughput degradation. Indeed, in an interference range, all links using the same channel, cannot trans- mit at the same time and should not share the same channel capacity. In order to improve the WMNs capacity, several researches arecurrentlyconductedregardingthechannel assignment when the routing is performed. We have already proposed in [18] an extended routing process taking the channels allocation in WMNs as a central key for minimizing the interference. Validation and analysis of the most existing approaches are based on simulation and test bed experiments. Although these methods are important and valuable for protocol evaluation, they still remain limited, they are very expensive in term of time consuming and are not exhaustive. Therefore, no general guarantee can be given about protocol behavior for a wide range of unpredictable deployment scenarios. The use of formal methods is an effective means to improve the reliability and the capacity of Wireless Mesh Networks. They may provide valuable design tools and contribute to the evaluation and the verification of routing protocols. This paper adopts an extensionofBigraphicalReactiveSystems(BRS,in short) [13] as a semantic framework for specifying WMNs topology and channel assignment during the routing process. For this purpose, Stochastic Bigraphs withSharing[21]seemmoreappropriatethan ordinary bigraphs since they are able to define spatial overlapping locations. Rachida Boucebsi , Faiza Belala 37

In a previous work [19], we have shown that graphical aspect and rigorous basis of ordinary BRS are suitable for representing both locality and connectivity ofroutersandchannelsinWMNsduringtheir reconfiguration process. We aim in this paper, to improve our model in order to preserve the WMNs main features, as the multi-hop and the overlapping of channels. We elaborate a Stochastic BRS with sharing model, called BiS-WMN*, to formally describe the network topology and its behavior while dealing with channel allocation during the routing process.Networksandtheirpathsarerepresentedas nodes of the Topology root, and channels with their eventual interferences represent the sharing nodes belonging to another distinctive root (called Interferenceroot).Then,stochasticreactionrules,labeled with rates, define possible evolution and reconfiguration of these WMN entities. Moreover, a bigraphical simulation engine (BigraphER tool [20]) may be applied to execute and simulate our obtained model. The rest of the paper is organized as follows. In section 2, we present related work. In section 3, we give a brief overview on Bigraphical Reactive Systems (BRS) and their relevant extensions. Section 4 presents our bigraphical specification of WMN networks. In section 5, we show how we encode and execute our bigraphical model with BigraphER tool. Finally, some concluding remarks and ongoing work round up the paper.

2Relatedwork

Using formal methods in WMNs context is relatively new, but itmayhaveagreatbeneﬁtandhelpinthis concern. Some formalisms, such as Process Algebra and Petri nets, have been proposed to solve speciﬁc problems of WMNs. In [4], authors gave a process algebra basedmodel,calledAWN(ProcessAlgebra for Wireless Mesh Networks) to specify WMNs routing protocols, hence it is about the AODV (Ad hoc On Demand Distance Vector) core. This result (AWN) was also used in [7] to prove that the sequence number cannot guarantee the non-existence of loops in protocols. In this context, further works [3], [15], [16] have resumed this formalism to model-check, respectively AODV and AODVv2 routing protocols, but in the context of WMN, with UPPAAL and SMC-UPPAAL tools. The same routing protocol versions are also formally analyzed by [9] and [11] using Colored Petri Nets. This formalism has also been used by [8] to verify the safety ofWMNs,solvingsomeattackkinds,like e.g. ”Black hole attack”. The above-cited works address neither the channels allocation nor the multi-path routing in the multi- radio WMNs context. In addition, both types of the used formalisms have been integrated in the Bigraph theory [12]. As a result, we contribute here by providing a generic BRS-based model in order to specify and analyze WMNs topology and their inherent behaviors, while insisting on channels allocation process. Indeed, the adopted formalism (Stochastic Bigraphical Reactive Systems with sharing) seems very appropriate and able to represent both locality and connectivity in WMN networks. It gives a formal meaning to all WMNs entities (signal, nodes, packets, etc.),anditallowsustoattributearatetothe reaction rule in order to control their application during the channel allocation process.

3Bigraphspresentation

Bigraphical Reactive Systems (BRS) theory was developed by Robin Milner [17] to model and analyze the distributed mobile code. The BRS is simply a bigraph (a graph type) equipped with reaction rules. A bigraph results from two merged graphs, places graph and links graph (Figure 2). Places graph speciﬁes the nodes hierarchy (nested locality of components) while the links graph represents the connections between these nodes. 48 Towards Channels Allocation Scheme Model for WMNs based on SBRS with Sharing

Figure 2: Anatomy of an ordinary bigraph

Abigraphmaycontainthefollowingelements:roots(regions), nodes, sites, edges, ports, inner and outer names (see Figure 2). Links graph encloses nodes and edges, where each edge connects two or more node ports. Place graphs are contained inside regions and mayalsocontainsitesthatcanbereplacedby aregionoranotherbigraph.Anodecanhaveports,seenintuitively as points for link connections. Ports are assigned to nodes by controls which deﬁne the arity of a node (the number of ports). A set of controls is called a signature. The wide use of BRS in various application areas has prompted the founders of this theory to expand it in several ways.

• Binding Bigraphs [22] are proposed to introduce the full independence relaxation of placing and linking notions, i.e. some links possess a locality concept in a bigraph. For instance, an edge bounded to a given node can only link ports that lie within thisnode. • Directed Bigraphs [5], this extension aims to assign a direction to edges for detecting the resource request flow. For this case, edges are considered as resourcesandnamesasresourcesrequests. • Stochastic BRSs (SBRS) [10] associate rates to rewrite rulesallowingderivingtheruleactivities on a given bigraph. Therefore, the state space generated by a SBRS can be naturally transformed into a Continuous Time Markov Chain (CTMC), so a quantitativeanalysiscanbeachievedthrough tools as the stochastic model checker PRISM. • Bigraphs with Sharing [21] is a novel generalization of Milners bigraphs in which two or more parents nodes may share the same child ”node”. So, the parent relation forms a DAG, and not a generic graph. therefore, the locality notion is updated. Asaconsequence,placesgraphhasbeen changed to support this sharing and the parent mapping is a binary relation instead of a function. This modification is sufficient to allow places to have zero or more parents.

In this paper, we are interested in a combination of the two later extensions of BRS. The Stochastic Bigraphical reactive systems with sharing (SBRS with sharing) have been proposed initially by Muffy Calder and Michele Sevegnani [14], then expanded with priorities to give a spatial order to reaction rules (PSBRS with sharing).

4OurApproach

In this section, we focus on how the BRS are able to define both static and dynamic aspects of WMNs. First, we need to define the topology (static aspect) and the interference aspects. This later represents the referred problem that we want to minimize by designing a channel allocation process (dynamic aspect) Rachida Boucebsi , Faiza Belala 95 thanks to the reaction rules. The routers and the channels localities may be defined by Places and Links graphs respectively. The reactions rules model the channelsallocation,givenasetoflinksforming the path between a source router and a destination one. We assume that all the routers have the same number (two, 2) of radio interfaces and the channel allocation process concerns only one path, i.e, we are interested here by the intra-flow interference. We propose in what follows the Stochastic BRS-based specification of WMNs, called BiS-WMN* (Bigraph with Sharing for Wireless Mesh Networks).

4.1 WMN Topology Model The general topology of a WMN is defined through one bigraph root (Topology root )oftheBiS-WMN* model , the second root (Interference)andsomestochasticreactionrulesaredesignedtosupportthe channel allocation process during routing. Particularly, we give a corresponding rules set (see Table 1) for abstracting the most important elements of a WMN network in the bigraph with sharing syntax. Then, we use this abstraction to associate a formal semantics to a WMN topology consisting of several fixed routers and mobile channels. Each router has two radio interfaces which represent the communication means of a router via its channels. Thus, we identify a bigraph definition consisting of two roots: Topology and Interference.Thefirstroot(seeFigure3)containsthenodes:Network, Path, RGRi (to specify arouterrange),C0 (represents the signal availability between two routers), IIP (Interference-Inside- Path) and a set of routers as links (ri), related to RGRi nodes. The Interference root includes:IC nodes (interference for a given channel), each one (ICi)nestsasetoftheCi non-orthogonal channels. This bigraphical structure (see Figure 3), which is independent of the WMN topology, is added to support the specification of the channel allocation process. This latterismainlybasedontheCAalgorithmproposed in [18]. We resume the IEEE.802.11 standard and reduce the channels number to eight (8) in order to facilitate the readability of the figure. We note that the channel interference in this standard is limited to two posterior/anterior adjacent channels. For example, thechannelofnumber6interfereswithitstwo successors channels: 7,8 and its two previous ones: 5,4

Figure 3: The bigraph of BiS-WMN* model

Places graph (Figure 4) in this case contains two trees that represent the hierarchical nesting of the various nodes, for example, a path (Path)islocatedwithinaNetworknode,etc.Notethatinthe Interference root tree, each ICi node is attached to a set of channels that interfere with channel Ci,i.e., {Ci-2, Ci-1, Ci+1, Ci+2},exceptforchannelsendofthestandard(C1 and C8 in our case). Indeed, the ICi node type can share some Ci nodes to avoid the nodes duplicating, while the link graph (Figure 5) 610 Towards Channels Allocation Scheme Model for WMNs based on SBRS with Sharing shows the possible relationships between these entities. Weidentify,forinstancethelinksri (routers) between the RGRi nodes and Cil between ICi and Ci nodes, etc.

Figure 4: Places graph Figure 5: Links graph

4.2 Channel Allocation Process Modeling Given the above WMN static part modeling based on the bigraph with sharing formalism, to specify arationalChannelsAllocationprocess(CA)whichminimizethe problem of interference between the used channels, we need to deﬁne a set of reaction rules (see last line of Table 1) ensuring the multi-radio WMN network evolution (dynamic part). Speciﬁcally, this paper contribution allows decorating each reaction rule by a rate expressing stochastic evolution of the network. Mainly, we conceive the following four meta-rules that will be applied on the bigraph Topology regarding its Interference root.

• Meta-rule 1: the selected channel Ci for a given path is initially hosted inside the RGRi node replacing the C0 node. The first reaction rule in Figure 11 illustrates a simpleinstantiationofthis meta-rule where the Topology root contains three routers, and four available channels (Interference root) with possibly interference of one channel (after and before) each one. This rule may have the simplest rate, because at time t=0,thisistheonlyrelevantrule. • Meta-rule 2: allows pursuing this type of channels assignment (Meta-rule1)whileachievingthe interference verification (Meta Rule3). The second reaction rule in Figure 11 illustrates its instantiation in the same example. The rate of this rule is calculated on the basis of the channels frequencies, i.e., the current channel frequency ( fx)andagivenavailablechannelfrequency ( fy) : ρ( fx, fy)=(fy− fx)/p .Wherepistheinterferenceintervaldefinedbetweenchannels (in our case p =2). • Meta-rule 3: checks if the interference between channels of agivenpathexists,thustheIIP node receives both concerned nodes RGRi and RGRj as indicated in the third reaction rule of Figure 11. Then, the rate of this rule is: ρ( fx, fy)=(fy)/(p + fx) . • Meta-rule 4: must be applied when the channel interference problem is caused, it replaces the latest allocated channel by its successor, and it transits IIP node to its first state as in the fourth reaction rule of Figure 11. The rule rate is defined as follows: ρ( fx, fy)=(fy)/(p + fx) . The use of rates guides the evolution process avoiding the useofallthedeclaredrules.Inthefinalstep of this formalization approach, we summarize our modeling approach by defining a formal meaning to all Rachida Boucebsi , Faiza Belala 117

WMN Concepts Bigraph-based Abstract Syntax Topology Topology root Interference deﬁnition Interference root Range Nodes RGRi ∈ VBiS-WMN ,suchthat: PrntBiS-WMN (RGRi)=Pathj ∪ Network Path Nodes Pathi ∈ VBiS-WMN ,suchthat: PrntBiS-WMN (Pathi)=Net- work Interference inside path Node IIP ∈ VBiS-WMN ,such: PrntBiS-WMN(IIP)= Path Channel Nodes Ci ∈ VBiS-WMN,suchthat: PrntBiS-WMN(Ci)=ICi ∪ RGRi Network Nodes Network ∈ VBiS-WMN,suchthat: PrntBiS-WMN(Network) = Topology root Channels overlapping Nodes ICi ∈ VBiS-WMN,suchthat: PrntBiS-WMN (ICi)= Inter- ference root Router Link ri ∈ EBiS-WMN Relationship between a channel Link Cil ∈ EBiS-WMN Ci and the interfering channels set or also the Path in which it will be attached Hosting a channel location in- Node C0 ∈ VBiS-WMN ,such: PrntBiS-WMN ( C0)= RGRi side a range area Channel Allocation process The reaction rules set that deﬁnes the deployment of a node Ci belonging to the Interference root inside a node RGRj of the Topology root

Table 1: Mapping WMN concepts to Stochastic BRS with sharing Elements

WMN entities (see Table1) and their possible reconﬁgured states when dealing with Channels Allocation algorithm (the four meta-rules application). The entire semantics assigned to a WMN network in the case of our study (CA) is given by the following deﬁnition.

Deﬁnition 1: We associate a Stochastic BRS with sharing based model, BiS-WMN* to each WMN network in evolution, consisting of a bigraph BS and a set of reaction rules SR.Where, BS=(VBiS-WMN,EBiS-WMN,ctrlBiS-WMN,GPBiS-WMN,GLBiS-WMN,PTBiS-WMN):(m, φ) → (2, φ),andSR is a set of stochastic reaction rules obtained by instantiating the four meta-rules deﬁned below.

• VBiS-WMN = {RGR, C, IC, C0, Network, Path, IIP},itincludesallnodetypesoftheWMNnetwork bigraph.

• EBiS-WMN = { ri , Cil},isasetoflinks;whereri represents a router, Cil is a link connecting a channel Ci with its ICi interference node, or with the Path node if this channel is selected as the ﬁrst channel in the concerned path.

• ctrlBiS-WMN: VBiS-WMN→ K,assignskinds(types)toallnodes,K={Ci (1, atomic), C0 (0, atomic), ICi: (1, composite), RGRi: (2, composite), Network: (0, composite), Path: (1, composite), IIP (0, composite)}. 812 Towards Channels Allocation Scheme Model for WMNs based on SBRS with Sharing

• GPBiS-WMN et GLBiS-WMN ,arerespectivelyplacesandlinksgraphswhere:GPBiS-WMN=(VBiS-WMN , ctrlBiS- WMN , prntBiS-WMN ):m →2. GLBiS-WMN= VBiS-WMN ,EBiS-WMN ,ctrlBiS-WMN , linkBiS-WMN ): φ → φ.Inourcase XBiS-WMN and YBiS-WMN are empty, it is about a closed bigraph.

• linkBiS-WMN: PBiS-WMN→ EBiS-WMN is an application that shows the data ﬂow from the ports set: PBiS-WMN to the edges set: EBiS-WMN.

• prntBiS-WMN = {(Topology, Network), (Network, Path), (Network, RGRi), (Path, RGRj), (Path, IIP), (IIP, RGRi), (Interference, ICk), (ICk, Ck), (RGRi , C0), (RGR, Ci)},isabinaryrelationwhich associates each node to its hierarchical parents.

• PBiS-WMN = PC ∪ PIC∪ PPT ∪ PRG ∪ PIIP avec PC = {ICiP}, PIC= {CiP}, PPT={CP}, PIIP = {IIPP},PRG = {R1iP, R2jP},thusweassociateonetypeforeachport.

We note that: (m, φ)and(2,φ) deﬁne the bigraph interfaces, where m is the number of the used sites, in our case it is equal to the number of nodes IIP.Itisobvioustonotealsothattheregionsnumber is ﬁxed to two (2).

5BiS-WMN*ModelExecution

Figure 6: Architecture of the command-line tool. The modulesarerepresentedbytheboxeswithinthe dotted box. Unlabeled arrows show the dependency relation between the modules.

Figure 7: Bigraph signature declaration

AsetofpracticaltoolsaredevelopedaroundBRSmodelsinorder to manipulate, execute and analyze the bigraphical systems. The most known ones are: BPL Tool [1], Big Red [2] and BigMc [6]. BigraphER (Bigraph Evaluator and Rewriting) [20] is a recenttoolthatimplementsBRS-basedmodel and Stochastic BRS-based model too, it supports places graphwithsharing.BigraphERiscomposedof Rachida Boucebsi , Faiza Belala 139

Figure 8: Stochastic reaction rule

Figure 9: Initial bigraph an OCaml library and a command-line tool. This later uses datastructuresthatOCamllibraryprovides for their programming interfaces. Command-line tool (Figure 6) [21] contains a compiler, a matching engine and a rewriting engine. The tool input is a model speciﬁcation written in BigraphER speciﬁcation language. However, the output can be textual or a graphical representation of the bigraph. Moreover, the tool may offer a graphical representation of each state. Thisresultisobtainedthankstorewritingengine that builds a graph by iteratively applying the reaction rules to each state.

Figure 10: SBRS Declaration Example

We have transcribed our model (BiS-WMN*), through the generic example of (Figure 3), in the BigraphER specification language to execute it, and simulateitssystembehavior.Ourspecificationis divided into four parts. The first defines the signature of the model; it is illustrated in (Figure 7) where we declare the controls of the different used nodes. Next, we specify a set of stochastic reactions rules for 1014 Towards Channels Allocation Scheme Model for WMNs based on SBRS with Sharing this example; we especially instantiate those presented above. A rule example that handles an allocation of a given channel (C2 in our case) is presented in (Figure 8). An algebraic specification of our initial bigraph must also be given (see Figure 9). Finally, a completedefinitionofthecorrespondingreactive system is indicated at (Figure 10)(for this example) where weidentifytheinitialbigraph(n0)andtheset of considered reaction rules. The BigraphER tool performs the execution of this example. Asimportantresult,weaffirmthatnot all defined reaction rules are applied and we have three possible states. Table 2 shows the result of our reaction rules execution, each BiS-WMN* state is represented graphically as a combination of the two (places and links) graphs. The first state is the initial bigraph, the second and the third ones are obtained after applying the stochastic rules: Meta rule1 and Meta rule2. We notice that only channel allocation reaction rules are applied. Indeed, when calculating rule rates, we find that channel numbered 4 is the most appropriate one after channel numbered 1 (i.e., it has the greater rate). Therefore, we have no need to apply verification (Meta-rule3) or updating (Meta-rule4)stochasticreactionrulesinthisparticular example.

6Conclusion

We have presented in this work a semantic framework for modeling multi-radio wireless mesh networks. Specifically, we have shown the interest of a given BRS extension, coupling the bigraph with nodes sharing and stochastic bigraph, to support the modeling of WMNs. We have defined a complete bigraphical model, called BiS-WMN*, for both the static and the dynamic parts of a WMN network. A generic topology (structure) of thisnetworkisrepresentedthankstoa Topology root of the bigraph. While its reconfigured states are specified, given another Interference root, by some stochastic reaction rules. Each rule is decorated with a rate expressing a possible stochastic evolution of the WMN network while running the CA algorithm of[18].Besides,ourformalmodelwas executed and simulated under the BigraphER tool. This work provides a new opportunity to formal specify and verify the WMN routing protocols. Since our bigraphical model is generic, it can be extended by several structures regarding Wireless Mesh Networks features. In the near future, we plan to use the added stochastic information, in order to express and verify the non-functional properties (quality of service) and thus, ensure the flow improvement and performance of WMNs networks.

References

[1] L. Birkedal E. Hjsgaard A.J. Glenstrup, T.C. Damgaard (2008): An implementation of bigraph matching. [2] Thomas T. Hildebrandt Alexander Faithfull, Gian Perrone(2012):BigRed: a development environment for bigraph. 4th International Workshop on Graph Computation Models. [3] Peter Hoefner Annabelle McIver Marius Portmann Wee Lum Tan Ansgar Fehnker, Robert van Glabbeek (2012): Automated Analysis of AODV using UPPAAL. 18th International Conference on Tools and Algo- rithms for the Construction and Analysis of Systems. [4] Peter Hoefner Annabelle McIver Marius Portmann Wee Lum Tan Ansgar Fehnker, Robert van Glabbeek (2012): AProcessAlgebraforWirelessMeshNetworks. 22nd European Symposium on Programming. [5] M. Miculan D. Grohmann (2007): Directed bigraphs. Electronic Notes in Theoretical Computer Science. [6] T. Hildebrandt G. Perrone (2012): AModelCheckerforBigraphs. Proceedings of the 27th ACM Sym. in Applied Computing ACM-SAC’12. Rachida Boucebsi , Faiza Belala 1115

[7] Wee Lum Tan Marius Portmann Robert van Glabbeek, Peter Hoefner (2013): Robert van Glabbeek, Peter Hoefner, Wee Lum Tan and Marius Portmann. 16th ACM International Conference on Modeling, Analysis and Simulation of Wireless and Mobile Systems, pp. 1-10, Barcelona, Spain, November. [8] Qiang Zhou Hejiao Huang (2012): Petri-net-based Modeling and Resolving of Black Hole AttackinWMN. IEEE 36th International Conference on Computer Software andApplicationsWorkshops. [9] C. Yuan J. Billington (2009): On modeling and analyzing the dynamic MANET on-demand (DYMO)routing protocol. Transactions on Petri Nets and Other Models of Concurrency III., ser. Lecture Notes in Computer Science. Springer Berlin /Heidelberg., vol. 5800. [10] A. Troina J. Krivine, R. Milner (2008): Stochastic bigraphs. Electronic Notes in Theoretical Computer Science,218:7396. [11] L. Kristensen K. Espensen, M. Kjeldsen (2008): Modeling and initial validation of the DYMO routing protocol for mobile ad-hoc networks. Applications and Theory of Petri Nets (Petri NETS08), ser. LNCS, K. M. van Hee and R. Valk, Eds., vol. 5062. Springer,. [12] R. Milner (2008): Bigraphs and their algebra. Proc. of the LIX Colloquium on Emerging Trends in Concur- rency Theory, Electronic Notes in Theoretical Computer Science Elsevier, V. 209, 5-19. [13] R. Milner (2009): The Space and Motion of Communicating Agents. Cambridge University Press. [14] Michele Sevegnani Muffy Calder (2014): Modelling IEEE 802.11 CSMA-CA RTS-CTS with stochastic bigraphs with sharing. Formal Aspects of Computing, Volume 26, Issue 3, pp 537-561, Springer. [15] Maryam Kamali Peter Hoefner (2013): Quantitative Analysis of AODV and its Variants on Dynamic Topolo- gies using Statistical Model Checking. 11th International Conference on Formal Modeling and Analysis of Timed Systems (Formats ’13), pp. 15, Buenos Aires, Argentina. [16] Sarah Edenhofer Peter Hoefner (2012): Towards a Rigorous Analysis of AODVv2 (DYMO). 2nd International Workshop on Rigorous Protocol Engineering (WRiPE 2012), pp.1-6,Austin,Texas. [17] O.H. Jensen R. Milner (2004): Bigraphs and mobiles processes. Technical Report 580, University of Cam- bridge. [18] Faiza Belala Rachida Boucebsi, Lakhdar Derdouri (2014): Affectation des Canaux dans Routage Multi- Chemins: Cas des Reseaux Mesh. 3rd edition of the Student Day ESI’14 (Jeesi 14, Algiers, Algria). [19] Lakhdar Derdouri Rachida Boucebsi, Faiza Belala (2014): Modeling Channel Allocation via BRS: Case of WMNs. International Conference on Advanced Aspects of Software Engineering (ICAASE14). [20] Michele Sevegnani (2012): Bigraph Evaluator and Rewriting. Available at http://www.dcs.gla.ac.uk/ michele/bigrapher.html. [21] Michele Sevegnani (2012): Bigraphs with sharing and applications in wireless networks. PhD thesis, Uni- versity of Glasgow. [22] L. Birkedal T.C. Damgaard (2006): Axiomatizing binding bigraphs. Nordic Journal of Computing, 13(12):5877. 1216 Towards Channels Allocation Scheme Model for WMNs based on SBRS with Sharing

Figure 11: Example of Meta-rules instantiation Rachida Boucebsi , Faiza Belala 1317

states Simulation

Table 2: Simulation results Structured Operational Semantics for Graph Rewriting⇤

Andrei Dorman Tobias Heindel Dip. di Filosoﬁa, Universita` Roma Tre LIPN – UMR 7030, Universite´ Paris 13 LIPN – UMR 7030, Universite´ Paris 13 [email protected] [email protected]

Process calculi and graph transformation systems provide models of reactive systems with labelled transition semantics. While the semantics for process calculi is compositional, this is not the case for graph transformation systems, in general. Hence, the goal of this article is to obtain a compositional semantics for graph transformation system in analogy to the structural operational semantics (SOS) for Milner’s Calculus of Communicating Systems (CCS). The paper introduces an SOS style axiomatization of the standard labelled transition semantics for graph transformation systems. The ﬁrst result is its equivalence with the so-called Borrowed Context technique. Unfortunately, the axiomatization is not compositional in the expected manner as no rule captures “internal” communication of sub-systems. The main result states that such a rule is derivable if the given graph transformation system enjoys a certain property, which we call “complementarity of actions”. Archetypal examples of such systems are interaction nets. We also discuss problems that arise if “complementarity of actions” is violated. Key words: process calculi, graph transformation, structural operational semantics, compositional methods

1 Introduction

Process calculi remain one of the central tools for the description of interactive systems. The archetypal example of process calculi are Milner’s p-calculus and the even more basic calculus of communication systems (CCS). The semantics of these calculi is given by labelled transition systems (LTS), which in fact can be given as a structural operational semantics (SOS). An advantage of SOS is their potential for combination with compositional methods for the veriﬁcation of systems (see e.g. [17]). Fruitful inspiration for the development of LTS semantics for other “non-standard” process calculi originates from the area of graph transformation where techniques for the derivation of LTS semantics from “reaction rules” have been developed [16, 7]. The strongest point of these techniques is the context independence of the resulting behavioral equivalences, which are in fact congruences. Moreover, these techniques have lead to original LTS-semantics for the ambient calculus [15, 3], which are also given as SOS systems. Already in the special case of ambients, the SOS-style presentation goes beyond the standard techniques of label derivation in [16, 7]. An open research challenge is the development of a general technique for the canonical derivation of SOS-style LTS-semantics. The problem is the “monolithic” character of the standard LTS for graph transformation systems. In the present paper, we set out to develop a partial solution to the problem for what we shall call CCS-like graph transformation systems. The main idea is to develop an analogy to CCS where each action a has a co-action a that can synchronize to obtain a silent transition; this is the so-called communication rule. In analogy, one can restrict attention to graph transformation systems with rules that allow to assign to each (hyper-)edge a unique co-edge. Natural examples of such systems are interaction nets as

⇤This work was partially supported by grants from Agence Nationale de la Recherche, ref. ANR-08-BLANC-0211-01 (COMPLICE project) and ref. ANR-09-BLAN-0169 (PANDA project).

Bliudze, S., Bruni, R., Carbone, M., Silva, A. (Eds.); ICE 2011 EPTCS 59, 2011, pp. 37–51, doi:10.4204/EPTCS.59.4 3819 SOS for Graph Rewriting introduced by Lafont [11, 1]. In fact, one of the motivations of the paper is to derive SOS semantics for interaction nets.

Structure and contents of the paper We ﬁrst introduce the very essentials of graph transformation and the so-called Borrowed Context (BC) technique [7] for the special case of (hyper-)graph transformation in Section 2. To make the analogy between CCS and BC as formal as possible, we introduce the system SOSBC in Section 3, which is meant to provide the uninitiated reader with a new perspective on the BC technique. Moreover, the system SOSBC emphasizes the “local” character of graph transformations as every transition can be decomposed into a “basic” action in some context. In particular, we do not have any counterpart to the communication rule of CCS, which shall be addressed in Section 4. We illustrate why it is not evident when and how two labeled transitions of two states that share their interface can be combined into a single synchronized action. However, we will be able to describe sufﬁcient conditions on (hyper-)graph transformation systems that allow to derive the counterpart of the communication rule of CCS in the system SOSBC. Systems of this kind have a natural notion of “complementarity of actions” in the LTS.

2 Preliminaries

We first recall the standard definition of (hyper-)graphs and a formalism of transformation of hyper-graphs (following the double pushout approach). We also present the labelled transition semantics for hyper-graph transformation systems that has been proposed in [7]. In the present paper, the more general case of categories of graph-like structures is not of central importance. However, some of the proofs will use basic results of category theory. Definition 2.1 (Hypergraphs and hypergraph morphisms). Let L be a set of labels with associated arity function ar: L N.A(L-labelled) hyper-graph is a tuple G =(E,V,`,cnct) where E is a set ! of (hyper-)edges, V is a set of vertices or nodes, `: E L is the labelling function, and cnct is the ! connection function, which assigns to each edge e E a string (e.g. a finite sequence) of incident vertices 2 cnct(e)=v v of length ar(`(e)) = n (where v ,...,v V). Let v V be a node; its degree, written 1 ··· n { 1 n} ✓ 2 deg(v) is the number of edges of which it is an incident node, i.e. deg(v)= e E v incident to e |{ 2 | }| (where for any finite set M, the number of elements of M is M ). We also write v G and e G if v V | | 2 2 2 and e E. 2 Let G =(E ,V ,` ,cnct ) (i 1,2 ) be hyper-graphs; a hyper-graph morphism from G to G , written i i i i i 2 { } 1 2 f : G G is a pair of functions f =(f : E E , f : V V ) such that ` f = ` and for each edge 1 ! 2 E 1 ! 2 V 1 ! 2 2 E 1 e E with attached nodes cnct(e)=v v we have cnct ( f (e)) = f (v ) f (v ). A hyper-graph 1 2 1 1 ··· n 2 E V 1 ··· V n morphism f =(f , f ): G G is injective (bijective) if both f and f are injective (bijective); it is an E V 1 ! 2 E V inclusion if both f (e)=e and f (v)=v hold for all e E and v V . We write G G or G G E V 2 1 2 1 1 ! 2 2 1 if there is an inclusion from G1 to G2, in which case G1 is a sub-graph of G2. To define double pushout graph transformation and the Borrowed Context technique [7], we will need the following constructions of hyper-graphs, which roughly amount to intersection and union of hyper-graphs. Definition 2.2 (Pullbacks & pushouts of monos). Let G =(E ,V ,` ,cnct ) (i 0,1,2,3 ) be hyper- i i i i i 2 { } graphs and let G G G be inclusions. The intersection of G and G is the hyper-graph G = 1 ! 3 2 1 2 0 (E E ,V V ,` ,cnct ) where ` (e)=` (e) and cnct (e)=cnct (e) for all e E E . The pullback 1 \ 2 1 \ 2 0 0 0 1 0 2 2 1 \ 2 of G G G is the pair of inclusions G G G and the resulting square is a pullback square 1 ! 3 2 1 0 ! 2 (see Figure 1). Andrei Dorman, Tobias Heindel 3920

G3 G2 G0 G2

G1 G0 G1 G00

Figure 1: Pullback and pushout square

Let G G G be inclusions; they are non-overlapping if both E E E and V V V 1 0 ! 2 1 \ 2 ✓ 0 1 \ 2 ✓ 0 hold. The pushout of non-overlapping inclusions G G G is the pair of inclusions G G G 1 0 ! 2 1 ! 00 2 where G =(E E ,V V ,` ,cnct ) is the hyper-graph that satisﬁes 00 1 [ 2 1 [ 2 00 00

`1(e) if e E1 cnct1(e) if e E1 `00(e)= 2 and cnct00(e)= 2 (`2(e) otherwise (cnct2(e) otherwise for all e E E . 2 1 [ 2 Finally, we are ready to introduce graph transformation systems and their labelled transition semantics. Deﬁnition 2.3 (Rules and graph transformation systems). A rule (scheme) is a pair of non-overlapping inclusions of hyper-graphs r =(L I R). Let A,B be hyper-graphs such that A L and moreover ! A I R is non-overlapping. Now, r transforms A to B if there exists a diagram as ! L I R shown on the right such that the two squares are pushouts and there is an isomorphism i : B B.Agraph transformation system (GTS) is pair S =(L,R) where L is a 0 ! A D B set of labels and R is a set of rules. 0 A graph transformation rule can be understood as follows. Whenever the left hand side L is (isomorphic to) a sub-graph of some graph A then this sub-graph can be “removed” from A, yielding the graph D. The vacant place in D is then “replaced” by the right hand side R of the rule. The middleman I is the memory of the connections L had with the rest of the graph in order for R to be attached in exactly the same place. We now present an example that will be used throughout the paper to illustrate the main ideas. Example 2.1. The system S =(L,R) will be the following one in the sequel: L = a,b,g,... such ex { } that ar(a)=2, ar(b)=3 and ar(g)=1; moreover R is the set of rules given in Figure 2 where the Ri represent different graphs (e.g. edges with labels Ri). To keep the graphical representations clear, all inclusions in the running example are given implicitly by the spatial arrangement of nodes and edges.

a a R1 R2 b ! g !

(a) Rule “a/b” (b) Rule “a/g”

b a g R4 R3 g ! b !

Figure 2: Reaction rules of Sex. 4021 SOS for Graph Rewriting

Remark 2.1 (Rule instances). Given a rule L I R and a graph A such that A L, one can assume ! w.l.o.g. that A I R is non-overlapping. The reason is that in each case, the rule L I R could ! ! be replaced by an isomorphic “rule instance” r = L I R (based on the standard notion of rule 0 0 0 ! 0 isomorphism). In fact the result of each transformation step is unique (up to isomorphism). This is a consequence of the following fact. Fact 2.4 (Pushout complements). Let G G G be a pair of hyper-graph 2 1 0 G G inclusions where G =(E ,V ,` ,cnct ) (i 0,1,2 ) such that for all v V V 1 0 i i i i i 2 { } 2 1 \ 0 (1) there does not exist any edge e E2 E0 such that v is incident to e. Then there 2 \ G exists a unique sub-graph G D such that (1) is a pushout square. 2 D 2 Definition 2.5 (Pushout Complement). Let G G G be a pair of hyper-graph inclusions that satisfy 2 1 0 the conditions of Fact 2.4; the unique completion G D G in (1) is the pushout complement of 2 0 G G G . 2 1 0 Definition 2.6 (Labelled transition system). A labelled transition system (LTS) is a tuple (S,Ł,R) where S is a set of states, Ł is a set of labels and R S Ł S is the transition relation. We write ✓ ⇥ ⇥ a s s0 ! if (s,a,s ) R and say that s can evolve to s by performing a. 0 2 0 (DPOBC) Let S =(L,R) be a graph transformation Definition 2.7 . D L I R system. Its LTS has all inclusions of hyper-graphs J G as states where ! J is called the interface; the labels are all pairs of inclusions J F K, ! G Gc C H and a state J G evolves to another one K H if there is a diagram as ! ! shown on the right, which is called a DPOBC-diagram or just a BC-diagram. In this diagram, the graph D is called the partial match of L. J F K For a technical justification of this definition, see [16], but let us give some intuitions on what this diagram expresses. States are inclusions, where the “larger” part models the whole “internal” state of the system while the “smaller” part, the interface, models the part that is directly accessible to the environment and allows for (non-trivial) interaction. As a particular simple example, one could have a Petri net where the set of places (with markings) is the complete state and some of the place are “open” to the environment such that interaction takes place by exchange of tokens. The addition of agents/resources from the environment might result in “new” reactions, which have not been possible before. The idea of the LTS semantics for graph transformation is to consider (the addition of) “minimal” contexts that allow for “new” reactions as labels. The minimality requirement of an addition J E or J F is captured by the two leftmost squares in the BC diagram above: the ! ! addition J F is “just enough” to complete part of the left hand side L of some rule. If the reaction ! actually takes place, which is captured by the other two squares in the upper row in the BC diagram, some agents might disappear / some resources might be used (depending on the preferred metaphor) and new ones might appear. Finally the pullback square in the BC diagram restricts the changes to obtain the new interface into the result state after reaction. As different rules might result in different deletion effects that are “visible” to the environment, the full label of each such “new” reaction is the “trigger” J F together ! with the “observable” change F K (with state K H after interaction). ! Andrei Dorman, Tobias Heindel 4122

3 Three Layer SOS semantics

We start with a reformulation of the borrowed context technique that breaks the “monolithic” BC-step into axioms (that allow to derive the basic actions) and two rules that allow to perform these basic actions within suitable contexts. The axioms corresponds to the CCS-axioms that describe that the process a.P can perform the action a and then behaves as P, written a.P a P where a ranges over the actions a,a, and t. In the case of graphs, each rule L I R gives rise to such a set of actions. More precisely, each ! subgraph D of L can be seen as an “action” with co-action DL L such that L is the union of D and DL. ! For example, in the rule a/b, both edges a and b yield (complementary) basic actions. Formally, in Table 1, we have the family of Basic Actionb axioms. It essentially represents all theb possible uses of a transformation rule. In an (encoding of) CCS, the left hand side would be a pair of unary edges a and a, which both disappear during reaction. Now, if only a is present “within” the system, it needs a to perform a reaction; thus, the part a of the left hand side induces the (inter-)action that consists in “borrowing” a and deleting both edges (and similarly for a). In general, e.g. in the rule a/b/g there might be more than two edges that are involved in a reaction and thus we have a whole family of actions. More precisely, each portion of a left hand side induces the action that consists in borrowing the missing part to perform the reaction (thus obtaining the coplete left hand side), followed by applying the changes that are described by the right part of the rule. Next, we shall give counterparts for two CCS-rules that describe that an action can be performed in parallel to another process and under a restriction. More precisely, whenever we have the transition P a P and another process Q, then there is also a transition P Q a P Q; similarly, we also have 0 k 0 k (nb)P a (nb)P whenever a / b,b . More abstractly, actions are preserved by certain contexts. The 0 2 { } notion of context in the case of graph transformation, which will be the counterpart of process contexts such as P [ ] and (nb)[ ], is as follows. k · · Deﬁnition 3.1 (Context). A context is a pair of inclusions C = J E J0. Let J G be a state (such ! ! that E J G is non-overlapping); the combination of J G with the context C, written C[J G], is ! ! ! the inclusion of J into the pushout of E J G as illustrated in the following display. 0 ! G G G G state: context: construction: combination:

J J E J0 J E J0 J0 The left inclusion of the context, i.e. J E, can also be seen as a state with the same interface. The ! pushout then gives the result of “gluing” E to the original G at the interface J; the second inclusion J E 0 ! models a new interface, which possibly contains part of J and additional “new” entities in E. With this general notion of context at hand, we shall next address the counterpart of name restriction, which we call interface narrowing, the second rule family in Table 1. In CCS, the restriction (na) preserves only those actions that do not involve a. The counterpart of the context (na)[ ] is a context of the form · J J J . In certain cases, one can “narrow” a label while “maintaining” the “proper” action as made ! 0 formal in the following deﬁnition.

Definition 3.2 (Narrowing). A narrowing context is a context of the form C = J J J0. Let J F K ! ! be a label such that the pushout complement of F J J exists; then the C-narrowing of the label, 0 written C[J F K] is the lower row in the following display ! J F K where C = J J J0 ! C[J F K] := J0 F K ! 0 0 4223 SOS for Graph Rewriting where the left square is a pushout and the right one a pullback. Whenever we write C[J F K], we ! assume that the relevant pushout complement exists. If we think of the interface as the set of free names of a process, then restricting a name means removal from the interface. Thus, J0 is the set of the remaining free names. If the pushout complement F0 exists, it represents F with the restricted names erased. Finally, since a pullback here can be seen as an intersection, K0 is K without the restricted names. So we finally obtain the “same” label where “irrelevant” names are not mentioned. It is of course not always possible to narrow the interface. For instance, one cannot restrict the names that are involved in labelled transitions of CCS-like process calculi. This impossibility is captured by the non-existence of the pushout complement. With the notion of narrowing, we can finally define the interface narrowing rule in Table 1. The final rule in Table 1 captures the counterpart of performing an action in parallel composition with another process P. In the case of graph transformation, this case is non-trivial since even the pure addition of context potentially interferes with the action of some state J G. For example, if an interaction ! involves the deletion of an (isolated) node, the addition of an edge to this node inhibits the reaction. However, for each transition there is a natural notion of non-inhibiting context; moreover, to stay close to the intuition that parallel composition with a process P only adds new resources and to avoid overlap with the narrowing rule, we restrict to monotone contexts. Definition 3.3 (Compatible contexts). Let C = J E J be a context; it is ! monotone if J J. Let J F K be a label; now C is non-inhibiting w.r.t. ! ! J F K J F K if it is possible to construct the diagram (2) where both squares are ! (2) pushouts. Finally, a context J E J is compatible with the label J F K ! ! E E if it is non-inhibiting w.r.t. it and monotone. 1 E0

In a label J F K, the left inclusion represents the addition of new entities that “trigger” a certain ! reaction. A compatible context is simply a context that is able to provide at least F, usually more than F, while not attaching new edges to nodes that disappear during reaction. The last rule in the SOSBC-system of Table 1 is the embedding of a whole transition into a monotone context. To deﬁne this properly, we introduce a partial operation for the “combination” of co-spans (which happens to be a particular type of relative pushout of co-spans); this generalizes the narrowing construction. Deﬁnition 3.4 (Cospan combination). Let C =(J F K) and C =(J E J) be two cospans. ! ! They are combinable if there exists a diagram of the following form.

J F K

E E1 E0

J F K =: C[J F K] ! The label J F K is the combination of C with C, and is denoted by C[J F K]. ! ! In fact, it is easy to show that compatible contexts are combinable with their label. Lemma 3.5. Given a reduction label J F K and a compatible context J E J for it, we can ! ! split the diagram 2 in order to get Andrei Dorman, Tobias Heindel 4324

J F K J F K . J F K and E E1 E0

E E1 E 0 J F K = C[J F K] !

With this lemma we can ﬁnally deﬁne the rule that corresponds to “parallel composition” of an action with another “process”. Now the SOSBC-system does not only give an analogy to the standard SOS-semantics for CCS, we shall also see that the labels that are derived by the standard BC technique are exactly those labels that can be obtained from the basic actions by compatible contextualization and interface narrowing. In technical terms, the SOSBC-system of Table 1 is sound and complete.

Basic Actions • (L I R) S where D L I ! 2 (D D) ! (I R) and D L ! ! ! ! Interface Narrowing • J F K (J G) ! (K H) C = J J J ! ! ! where ! 0 J0 F0 K0 and J F K = C[J F K] (J G) ! (K H) 0 0 0 0 ! ! 0 ! ! ! Compatible Contextualization • J F K (J G) ! (K H) C = J E J compatible with J F K ! ! ! where ! ! C[J F K] and C =(J F K)[C] C[J G] ! C[K H] ! ! ! !

Table 1: Axioms and rules of the SOSBC-system.

Theorem 3.6 (Soundness and completeness). Let S be a graph transformation system. Then there is a BC-transition J F K (J G) ! (K H) ! ! ! if and only if it is derivable in the SOSBC-system. The main role of this theorem is not its technical “backbone”, which is similar to many other theorems on the Borrowed Context technique. The main insight to be gained is the absence of any “real” communication between sub-systems; roughly, every reaction of a state can be “localized” and then derived from a basic action (followed by contextualization and narrowing). In particular, we do not have any counterpart to the communication-rule in CCS, which has complementary actions P a P 0 and Q a Q as premises and concludes the possibility of communication of the processes P and Q to 0 perform the silent “internal” transition P Q t P Q . The main goal is to provide an analysis of k 0 k 0 possible issues with a counterpart of this rule. 4425 SOS for Graph Rewriting

4 The composition rule for CCS-like systems

Process calculi, such as CCS and the p-calculus, have a so-called communication rule that allows to synchronize sub-processes to perform silent actions. The involved process terms have complementary actions that allow to interact by a “hand-shake”. However, it is an open question how such a communication rule can be obtained for general graph transformations systems via the Borrowed Context technique. Roughly, the label of a transition does not contain information about which reaction rule was used to derive it; in fact, the same label might be derived using different rules. Intuitively, we do not know how to identify the two hands that have met to shake hands. To elaborate on this using the metaphor of handshakes, assume that we have an agent that needs a hand to perform a handshake or to deliver an object. If we observe this agent reaching out for another hand, we cannot conclude from it which of the two possible actions will follow. In general, even after the action is performed, it still is not possible to know the decision of the agent – without extra information, which might however not be observable. However, with suitable assumptions about the “allowed actions”, all necessary information might be available. First, we recall from [2] that DPOBC-diagrams (as deﬁned in Deﬁnition 2.7) can be composed under certain circumstances. Fact 4.1. Let

J F K J0 F0 K0 (J G) ! (K H) and (J0 G0) ! (K0 H0) ! ! ! ! ! ! be two transitions obtained from two DPOBC-diagrams with the same rule r = L I R. Then, it is ! possible to build a DPOBC-diagram with the same rule for the composition of J G and J0 G0 along L ! ! some common interface J J J . D ! 0 Take the following example as illustration of this fact. Example 4.1 (Composition of transitions). Let J G be a state of S that contains an edge a with its ! ex second connection in the interface as shown in Figure 3(a). Further, let J G be a state that contains 0 ! 0 an edge b with its second connection in the interface as shown in Figure 3(b). Both graphs can trigger a reaction from rule a/b/g. Such a composition is shown in Figure 3(c). Hence, we see that is in general possible to combine transitions to obtain new transitions. However, we emphasize at this point, that derivability of a counterpart of the communication rule of CCS is not the same question as the composition of pairs of transitions that come equipped with complete BC-diagrams. To clarify the problem, consider the following example where we cannot infer the used rule from the transition label. Example 4.2. Let G be a graph composed of two edges a and b and consider a transition label where an edge g is “added”. Then it is justiﬁed by both rules a/g and b/g (see Figure 4). We shall avoid this problem by restricting to suitable classes of graph transformation systems. More- over, for simplicities sake, we shall focus on the derivation of “silent” transitions in the spirit of the communication rule of CCS. Deﬁnition 4.2 (Silent label). A label J F K is silent or t if J = F = K;asilent transition is a ! transition with a silent label. Intuitively, a silent transition is one that does not induce any “material” change that is visible to an external observer that only has access to the interface of the states. Hence, in particular, a silent transition does not involve additions of the environment during the transition. Moreover, the interface remains Andrei Dorman, Tobias Heindel 4526

G G g a b

(a) A ﬁrst transition

G0 G0 g b a

(b) A second transition

G G

a g R4

G0 G0

Figure 3: An example of composition. unchanged. This latter requirement does not have any counterpart in process calculi, as the interface is given implicitly by the set of all free names. (In graphical encodings of process terms [3] it is possible to have free names in the interface even though there is no corresponding input or output preﬁx in the term.) Now, with the focus on silent transitions, for a given rule L I R we can illustrate the idea of ! complementary actions as follows. If a graph G contains a subgraph D of L and moreover a graph G0 has the complementary subgraph of D in L in it, then G and G0 can be combined to obtain a big graph G – the “parallel composition” of G and G0 – that has the whole left hand side L as a subgraph and thus G can perform the reaction. A natural example for this are Lafont’s interaction nets where the left hand side consist exactly of two hyper-edges, which in this case are called cells. The intuitive idea of complementary (basic) actions is captured by the notion of active pairs. Deﬁnition 4.3 (Active pairs). For any inclusion D L, where D = L and for all nodes v of D, deg(v) > 0, ! 6 let the following square be its initial pushout

L L JD D , D bL i.e. DL is the smallest subgraph of L that allows for completion to a pushout. We call DL the complement of D in L and JL the minimal interface of D in L and we write D,D L if D = DL. The set of active D { 0} ⌘ 0 b b b 4627 SOS for Graph Rewriting

a b R2 g b

(a) A transition from rule a/g

a b R3 g a

(b) A transition from rule b/g

Figure 4: Same transition label for different rules. pairs is L D = D,D L I R R,D L, D = L, v D.deg(v) > 0 . { }| ! 2 ! 6 8 2 Abusing notation, we also denote by D the union of D. b L L It is easy to verify that the complement of D in L is D itself and that its minimal interface is also JD . It is the set of “acceptable” partial matches in the sense that they do not yield a t-reaction on their own. Indeed, if D is equal to L, then the resulting transitionb of this partial match is a t-transition. And if it is just composed of vertices, its complement is L and thus not acceptable. Example 4.3 (Active pairs). In our running example, the set D of our example is in obvious bijection to a,b , a,g , b,g , a,b + g , a + b,g , a + g,b . { } { } { } { } { } { } The minimal interface of any pair is a single vertex. This completes the introduction of preliminary concepts to tackle the issues that have to be resolved to obtain “proper” compositionality of transitions.

4.1 Towards a partial solution Let us address the problem of identifying the rule that is “responsible” for a given interaction. We start by considering the left inclusions of labels, which intuitively describe possible borrowing actions from the environment. Relative to this, we define the admissible rules as those rules that can be used to let states evolve while borrowing the specified “extra material” from the environment. Definition 4.4 (Admissible rule). Let J G be a state and let J F be an inclusion (which represents a ! ! possible contribution of the context). A rule r is admissible (for J F) if L G and it is possible to ! 6! find D D and L the left-hand side of r, such that the following diagram commutes 2 L \ G Gc

J F

L JD D Andrei Dorman, Tobias Heindel 4728 where JL D is the minimal interface of D in L. We call D the rule addition. D ! This just means that G can evolve using the rule r if D is added at the proper location. J F K J0 F0 K0 Proposition 4.5 (Precompositionality). Let J G ! K H and J0 G0 ! K0 H0 be ! ! ! ! ! ! two transitions such that a single rule r is admissible for both, and let D and D0 be their respective rule additions. If D,D0 D, it is possible to compose G and G0 into a graph G in a way to be able to derive { } 2 a t-transition using rule r.

c Proof. We first show that in such a case, D0 G and the pushout of G D0 L is exactly G . Similarly, ! c ! D G0 and the pushout of G0 D L is exactly G0 . Then, it is easy to see that it is possible to build the ! ! J F K1 DPOBC-diagram D1 using rule r on G (respectively G0) yelding the transition (J G) ! (K1 H1) ! !J F K2 ! for some K ,H (respectively the DPOBC-diagram D yelding the transition (J G) ! (K H ) 1 1 2 ! ! 2 ! 2 for some K2,H2), and then compose D1 and D2. c This follows from D,D0 D and G G . Indeed, E = L so the top left morphism of the composed { } 2 ⌘ DPOBC-diagram is an isomorphism and so are the ones under it, using basic pushout properties. This first result motivates the following definition. Definition 4.6 (t-compatible). In the situation of Proposition 4.5, we say the two transitions are t- compatible. Remark 4.1. In general, in Proposition 4.5, the result of the t-transition cannot be constructed from H and H0; thus we do not yet speak of compositionality. Example 4.4. Let G be a graph composed of two edges a and g and G0 of two edges b and g (see Figure 5). Then the rule a/b is admissible for both transitions and moreover they are t-compatible. The rule a/b yields the respective rule additions. “Glueing” G and G0 by their interface results in a graph with edges a,b and two gs; the latter graph can perform a t-reaction from rule a/b, which however does not give the desired result since the target state is not the “expected composition” of H and H0. In other words, although we have been able to construct a t-transition, it is not the composition of the original transitions.

g R3 a b a

(a) A transition from rule b/g

b g R a 2 b

(b) A transition from rule a/g

Figure 5: t-compatible, but not composable: different rules.

We can see from the examples here that the difficulty of defining a composition of transitions comes mainly from three facts. The first is that a partial match can have several subgraphs triggering a reaction. This is delt with by the construction of the set of active pairs. The second one is the possibility to connect multiple edges together, not knowing which one exactly is consumed in the reaction. Finally, a given edge can have multiples ways of triggering a reaction. 4829 SOS for Graph Rewriting

4.2 Sufficient conditions We now give two frameworks in which neither of the two last problems do occur. Avoiding each of them separately is enough to define compositionality properly. Both cases are inspired by the study of interaction net systems [12, 6, 14], which can be represented in the obvious manner as graph transformation systems. In these systems, the DPOBC-diagram built from an admissible rule of a transition is necessarily the one that has to be used to derive the transition. In one case, it works for essentially the same reasons as in CCS: every active element can only interact with a unique other element, such as a vs. a, b vs. b. In the other one, the label itself is not enough, but since we also know where it “connects” to the graph, it is possible to “find” the partner that was involved in the transition. We introduce interaction graph systems, which are caracterized among other rewriting systems by the form of the left-hand sides of the reaction rules, composed of exactly two hyperedges connected by a single node. We fix a labeling alphabet L. Definition 4.7. An activated pair is a hypergraph L on L composed of two hyperedges e and f and a node v such that v appears exactly once in cnct(e) and once in cnct( f ). If v is the i-th incident vertex of e labelled a and the j-th incident vertex of f labelled b, we denote the activated pair by eion f j and label it by aion b j. An interaction graph system (L,R) is given by a set of reaction rules R over hypergraphs on L where all left-hand side of rules are activated pairs, and nodes are never deleted, i.e. for any rule r = L I R, ! L is an activated pair; • for any node v, v L v I. • 2 ) 2 Note that for any interaction graph system, the set D is composed of pairs D,D0 where each of them { } is composed of an edge and its connected vertices. Also the minimal interface of any active pair D,D { 0} is a single node. It is also the case that it is enough for interfaces to be composed of vertices only. Example 4.5. SIMPLY WIRED HYPERGRAPHS Lafont interaction nets are historically the first interaction nets. They appear as an abstraction of linear logic proof-nets [12]. Originally, Lafont nets have several particular features, but the one we are interested in is the condition on connectivity. Definition 4.8. Let N =(E,V,`,cnct) be a hypergraph on L. The graph N is simply wired if v V, deg(v) 2. When deg(v)=1, we say that v is free. 8 2  In other words, vertices are only incident to at most two edges of a graph. Note that in this special case no issues arise if we restrict to the sub-category of simply wired hypergraphs. For this, we argue that the purpose of the interface is the possible addition of extra context; thus, in simply wired hypergraphs, it is meaningless for a vertex that is already connected to two edges to be in the interface. Definition 4.9 (Lafont interaction graph system). A Lafont interaction graph is a simply connected graph such that its interface consists of free vertices only. A Lafont system L =(L,R) is given by reaction rules over Lafont interaction graphs; it is partitioned if two left-hand sides only overlap trivially, i.e. for two rules r = L I R R ( j = 1,2), either L = L or L L is the empty graph (without any nodes j j j ! j 2 1 2 1 \ 2 and any hyperedges). J F K Lemma 4.10. Let L be a partitioned Lafont system, let J G be a state, let (J G) ! (K H) ! ! ! ! be a non-t transition. Then there is exactly one admissible rule for this transition. Example 4.6. HYPERGRAPHS WITH UNIQUE PARTNERS By generalizing Lafont interaction nets, we obtain so called multiwired interaction nets. But then we lose the unicity of the rule for a given transition label. It can be recovered by another condition. Andrei Dorman, Tobias Heindel 4930

Deﬁnition 4.11 (Unique partners). Let I =(L,R) be an interaction graph system. We say it is with unique partners if for any a L and for all i ar(a), there exists a unique b L and a unique j ar(b) 2  2  such that aion b j is the label of a left-hand side of a rule in R. J F K Lemma 4.12. Let J G a state of I and (J G) ! (K H) a non-t reaction label. Then there ! ! ! ! is exactly one admissible rule r for this transition. Finally, we conclude our investigation with the following positive result. Theorem 4.13 (Compositionality). Let (L,R) be a Lafont interaction graph system, or an interaction graph system with unique partners. Let D be its set of active pairs. J F K J F K Let t =(J G) ! (K H) and t =(J G ) 0! 0 0 (K H ) be two non-t transitions 1 ! ! ! 2 0 ! 0 ! 0 ! 0 and D and D0 their respective rule additions. If D,D0 L D, let G and H are described by the following diagrams { } ⌘ 2

J0 G0 H0

L JD J G R H J G H where JL J and JL J are the inclusions from the admissibility of r for states J G and J G D ! D ! 0 ! 0 ! 0 (Definition 4.4). Then J J J (J G) ! (J H). ! ! ! Sketch of proof. By Lemma 4.10 or 4.12, there exists exactly one rule r R with L as a left-hand side 2 that allows to derive transitions t1 and t2 – it is indeed the same rule for both. Let D be the composition diagram of the DPOBC-diagrams justifying the transitions. It is first shown that G G . Since the upper and lower left squares of D are pushouts we can infer that ⌘ c D L and J F. Finally, since no vertex is deleted (see Definition 4.7), we have J C and thus K J. ⌘ ⌘ ! ⌘ So D is a BC-diagram of a t-reaction from J G to J H. ! !

In fact, the main property that we have used is the following. D L I R Deﬁnition 4.14 (Complementarity of Actions). A graph transformation systems satisﬁes Complementarity of Actions if for each transition J F K G Gc C H (J G) ! (K H) there is a unique rule L I R such that ! ! ! ! there exists a DPOBC-diagram as shown to the right. J F K

In this situation, we can effectively determine if two transitions are t-compatible. Thus we can derive a counterpart of the communication rule of CCS. Hence, if a graph transformation systems satisﬁes Complementarity of Actions then a rule of the following form is derivable in SOSBC.

J F K J F0 K0 t =(J G) ! (K H) t0 =(J G0) ! (K0 H0) ! ! ! ! ! ! t and t0 t-compatible J J J (J G) ! (J H) ! ! ! In other words, in a graph transformation system with Complementarity of Actions we can apply the results of [2] to obtain a counterpart to the communication rule. 5031 SOS for Graph Rewriting

5 Related and Future work

On a very general level, the present work is meant to strengthen the conceptual similarity of graph transformation systems and process calculi; thus it is part of a high-level research program that has been the theme of a Dagstuhl Seminar in 2005 [9]. In this wide field, structural operational semantics is occasionally considered as an instance of the tile model (see [8] for an overview). With this interpretation, SOS has served as motivation for work on operational semantics of graph transformation systems (e.g. [5]). A new perspective on operational semantics, namely the “automatic” generation of labeled transition semantics from reaction rules, has been provided by the seminal work of Leifer and Milner [13] and its successors [16, 7]; as an example application, we want to mention the “canonical” operational semantics for the ambient calculus [15]. The main point of the latter work is the focus on the “properly” inductive definition of structural operational semantics. To the best of our knowledge, there is no recent work on the operational semantics of graph transformation systems that provides a general method for the inductive definition of operational semantics. This is not to be confused with the inductive definition of graphical encodings of process calculi on (global) states. With this narrower perspective on techniques for the “automatic” generation of LTSs, we want to mention that some ideas of our three layer semantics in Section 3 can already be found in [3], where all rules of the definition of the labelled transition semantics have at most one premise. This is in contrast to the work of [15] where the labelled transition semantics is derived from two smaller subsystems: the process view and the context view; the subsystems are combined to obtain the operational semantics. The latter work is term based and it manipulates complete subterms of processes using the lambda calculus in the meta-language. We conjecture that the use of this abstraction mechanism is due to the term structure of processes. Concerning future work, the first extension of the theory concerns more general (hierarchical) graph- like structures as captured by adhesive categories [10] and their generalizations (e.g. [4]). Moreover, as an orthogonal development, we plan to consider the case of more general rules that are allowed to have an arbitrary (graph) morphism on the right hand side; moreover, also states are arbitrary morphisms. The general rule format is important to model substitution in name passing calculi while arbitrary graph morphisms as states yield more natural representations of (multi-wire) interaction nets. The main challenge is the quest for more general sufficient conditions that allow for non-trivial compositions of labelled transitions, which can be seen as a general counterpart of the CCS communication rule.

6 Conclusion

We have reformulated the BC technique as the SOSBC-system in Table 1 to make a general analogy to the SOS-rules for CCS. There is no need for a counterpart of the communication rule. We conjecture that this is due to the “flat” structure of graphs as opposed to the tree structure of CCS-terms. The main contribution concerns questions about the derivability of a counterpart of the communication rule. First, we give an example, which illustrates that the derivability of such a rule is non-trivial; however, it is derivable if the relevant graph transformation system satisfies Complementarity of Actions. We have given two classes of examples that satisfy this requirement, namely hyper-graphs with unique partners and simply wired hyper-graphs. This is a first step towards a “properly” inductive definition of structural operational semantics for graph transformation systems.

Acknowledgements We would like to thank Barbara Konig,¨ Filippo Bonchi and Paolo Baldan for providing us Andrei Dorman, Tobias Heindel 5132 with drafts and ideas about a more general research program on compositionality in graph transformation. We are also grateful for the constructive criticism and the helpful comments of the anonymous referees.

References

[1] V. Alexiev (1999): Non-deterministic interaction nets. Ph.D. thesis, University of Alberta, Edmonton, Alta., Canada. [2] P. Baldan, H. Ehrig & B. Konig¨ (2006): Composition and Decomposition of DPO Transformations with Borrowed Context. In: Proc. of ICGT ’06 (International Conference on Graph Transformation), Springer, pp. 153–167, doi:10.1007/11841883 12. LNCS 4178. [3] F. Bonchi, F. Gadducci & G. V. Monreale (2009): Labelled transitions for mobile ambients (as synthe- sized via a graphical encoding). Electronic Notes in Theoretical Computer Science 242(1), pp. 73–98, doi:10.1016/j.entcs.2009.06.014. [4] B. Braatz, H. Ehrig, G. Karsten & U. Golas (2010): Finitary M-adhesive categories. In: Graph Transforma- tions: 5th International Conference, ICGT 2010, Twente, the Netherlands, September 27–October 2, 2010, Proceedings, Springer-Verlag, pp. 234–249, doi:10.1007/978-3-642-15928-2 16. [5] Andrea Corradini, Reiko Heckel & Ugo Montanari (2000): Graphical Operational Semantics. In: ICALP Satellite Workshops, pp. 411–418. [6] T. Ehrhard & L. Regnier (2006): Differential interaction nets. Theoretical Computer Science 364(2), pp. 166–195, doi:10.1016/j.tcs.2006.08.003. [7] H. Ehrig & B. Konig¨ (2006): Deriving Bisimulation Congruences in the DPO Approach to Graph Rewriting with Borrowed Contexts. Mathematical Structures in Computer Science 16(6), pp. 1133–1163, doi:10.1017/S096012950600569X. [8] F. Gadducci & U. Montanari (2000): The tile model. In Gordon D. Plotkin, Colin Stirling & Mads Tofte, editors: Proof, Language, and Interaction, The MIT Press, pp. 133–166. [9] B. Konig,¨ U. Montanari & P. Gardner, editors (2005): 04241 Abstracts Collection. Dagstuhl Seminar Proceed- ings 04241, Internationales Begegnungs- und Forschungszentrum fur¨ Informatik (IBFI), Schloss Dagstuhl, Germany, Dagstuhl, Germany. Available at http://drops.dagstuhl.de/opus/volltexte/2005/27. [10] S. Lack & P. Sobocinski´ (2005): Adhesive and quasiadhesive categories. RAIRO - Theoretical Informatics and Applications 39(2), pp. 522–546, doi:10.1051/ita:2005028. [11] Y. Lafont (1990): Interaction nets. In: Proceedings of the 17th ACM SIGPLAN-SIGACT symposium on Princi- ples of programming languages, POPL ’90, ACM, New York, NY, USA, pp. 95–108, doi:10.1145/96709.96718. [12] Y. Lafont (1995): From proof-nets to interaction nets. In: Proceedings of the workshop on Advances in linear logic, Cambridge University Press, New York, NY, USA, pp. 225–247, doi:10.1017/CBO9780511629150.012. [13] J. J. Leifer & R. Milner (2000): Deriving Bisimulation Congruences for Reactive Systems. In Catus- cia Palamidessi, editor: CONCUR, Lecture Notes in Computer Science 1877, Springer, pp. 243–258, doi:10.1007/3-540-44618-4 19. [14] D. Mazza (2006): Interaction Nets: Semantics and Concurrent Extensions. Ph.D. thesis, Universite´ de la Mediterran´ ee´ & Roma Tre. [15] J. Rathke & P. Sobocinski´ (2010): Deriving structural labelled transitions for mobile ambients. Information and Computation 208, pp. 1221–1242, doi:10.1016/j.ic.2010.06.001. [16] V. Sassone & P. Sobocinski´ (2003): Deriving Bisimulation Congruences Using 2-categories. Nordic Journal of Computing 10(2), pp. 163–183. [17] A. Simpson (2004): Sequent calculi for process veriﬁcation: Hennessy-Milner logic for an arbitrary GSOS. Journal of Logic and Algebraic Programming 60–61, pp. 287–322, doi:10.1016/j.jlap.2004.03.004. Computing approximations for graph transformation systems

Vincent Danos Tobias Heindel Ricardo Honorato-Zimmer School of Informatics School of Informatics School of Informatics University of Edinburgh University of Edinburgh University of Edinburgh [email protected] [email protected] [email protected] Sandro Stucki [email protected] Programming Methods Laboratory, EPFL

We describe a tool that can compute a differential equation for the mean occurrence counts of a fixed graph observable in a given stochastic graph transformation system. It is an open problem whether the function that gives the mean occurrence count of the graph motif at a fixed time on the positive real line is approximable to arbitrary precision. However, the tool allows to express common practices to approximate the function using mean-field and refined approximation techniques. In the long term, we plan an extension to stochastic bisimulation checking for graph transformation systems.

1 Introduction

In the context of dynamic systems where states have complex structure, graph transformation [2, 5] is a natural candidate for a general formalism to describe all possible transitions of systems. Graph transformation is a particularly useful specification formalism if all possible transitions between system states fall into a finite number of transition classes such that each transition class has a common principle of a local structural modification that can be captured by a single rule of graph transformation. Graph transformation systems in which rules are equipped with rates gives rise to a continuous- time Markov chain [8]. Intuitively, transitions between states have now a propensity to take place in an infinitesimal small time step; formally, they define the infinitesimal generator of a Markov chain which has isomorphism classes of finite graphs as states. The central topic of the paper is the calculation of the mean occurrence count of certain graphs of interest in function of time in such a stochastically evolving graph. A classic example that comes to mind is the count of triangles in a random graph; for stochastic graph transformation systems one might thus ask how their expected numbers change over time. In general, given a stochastically evolving graph (specified by a stochastic graph transformation system), the question that we seek to answer is how many occurrences of a certain fixed graph, the observable graph pattern, can one expect to have at a given time in the future. It is an open problem whether this function can be computed to arbitrary precision in general. We present a tool that allows to compute (approximations to) this continuous-time behaviour by deriving an ordinary differential equation (ODE) for the rate of change of the mean occurrence count of any graph motif. The procedure has been informally described in [3] and we provide an abriged version in 3. It is a well-known problem to give guarantees for the quality of the approximations. § “Analytical approximation approaches vary in their complexity, and there is usually an associated trade- off in accuracy (as measured, for example, by comparing the prediction of the theory with a large-scale Monte Carlo simulation of the dynamics)” [11, p. 18]. Roughly, the problem is that the function that counts the number of occurrences of a graph does not have any bound a priori; we can nevertheless derive

Submitted to: c V. Danos, T. Heindel, R. Honorato-Zimmer & S. Stucki MeMo 2015 234 Computing approximations for graph transformation systems fundamental equations for variances of counting functions and sometimes even get precise solutions. The tool has the form of a Scala library named graph-rewriting and is available for download from https://github.com/rhz/graph-rewriting/. We use the voter model treated in Ref. [3] as running example and show how to obtain its results automatically by the tool. In this model, nodes can be in either of two states, ‘red’ or ‘blue’, and there are two types of rewriting rules, so-called ‘ﬂips’ and ‘swaps’:

Flips8 Swaps8 <> <> > > White nodes: are to be thought colourless, i.e. they represent: nodes that can be in any of the two states. White nodes represent nodes that can be in any of the two states. Typically node colours are interpreted as people’s opinions and thus these rules attempt to minimise disparity among acquaintances. These rules show an interesting behaviour that has been studied in depth in Ref. [4]. One question Ref. [4] sets out to answer is what happens in the long run. Clearly, if the graph reaches a state where everyone has the same opinion, no further rule applications are possible. Also, if the graph disconnects (due to the application of a swap), as soon as every connected component becomes monochrome the system halts. What will be the number of red and blue nodes in these halted states in average? Of course, this will depend, among other factors, on the likelihood of each flip with respect to one another and the fraction of red and blue nodes at the start. Will the network split before one colour wins over the other? Since the only way to split the network is by applying a swap, the likelihood of these two rules with respect to the flips will be crucial. To answer these questions quantitatively, we equip our rules with rates and compute the derivative of the number of red (or blue) nodes over time. In the running example, the rates are k01,k10 for the flips from red (0) to blue (1) and from blue (1) to red (0), respectively; and k0,k1 are the rates for the swaps.

2 Graph transformation

Rules are like productions of Chomsky grammars, according to the analogy from the first paper of algebraic graph transformation [7]; in particular they have a left- and right-hand side. The first obvious difference are the kinds of structures being rewritten, i.e. graphs vs. strings. However, one subtle but important difference that the analogy does sweep under the carpet is the fact that applications of graph transformation rules always involve a single occurrence of the left- and right-hand side. For each rule application we always know where and how the rule is applied. This is essential for the definition of the continuous-time stochastic semantics of graph transformation. A rule of transformation for any general type of structure consists of a left-hand side L, a right-hand side R, and a pair of partial maps from nodes and edges of L to those of R such that they jointly preserve the structure of the left hand side. as in single pushout graph transformation [10]. The nodes and edges that have an image along these partial maps are preserved by the rule, although their label might change. Instead, the nodes and edges in the left-hand side that do not have an image are destroyed, while those in the right-hand side that do not have a pre-image are created by an application of the rule. Note that the application of a rule always is relative to an occurrence of the left-hand side L in a graph G, which is formalised by an injective (total) graph morphism from L to G. V. Danos, T. Heindel, R. Honorato-Zimmer & S. Stucki 353

2.1 Graphs

The concrete graphs that are handled by the tool are node- and edge-labelled directed multi-graphs (although the general method applies to several other graph-like structures). Directed multi-graphs definition is as usual. The labelling of nodes and edges is formalised by a partial function from nodes (resp. edges) to colours for each state of the system, thus equipping graphs with a partial labelling of nodes (resp. edges). Colourless nodes are then those that are not in the domain of definition of the labelling function. The ocurrence count of a graph G is written as [G] and G + H denotes the disjoint union of G and H. In the graph-rewriting library, graphs are parametric in the type of nodes, edges, and labels they contain. In particular, the type of nodes and labels can be anything. Edges however can only be an instance of a class implemeting the DiEdgeLike interface. Any class that defines a source and target method can implement this interface. For multi-edges an id is needed to differentiate between edges that have the same source and target. The library comes with a default class for multi-edges, IdDiEdge, and graphs must be comprised of edges of this type to be fed to the ODE generation algorithm. The example introduced in the previous section uses undirected graphs instead of directed graphs. To encode the model, we could split each rule into two versions, one for each direction (if the rules had more than one edge it would be a combinatorial expansion though!). Here we take a simpler approach instead: edges always go from red to blue. A multi-edge can be created by using IdDiEdge’s constructor, e.g. the expression IdDiEdge(0,"u", "v") will create an edge from node “u” to “v” with an id of type Int and value 0. Also, an edge can be created by using ~~>, as in "u"~~>"v". This will implicitly define an id for that edge by means of a global counter that will not generate the same id twice but could produce an id that has been already used by the user. Graphs are mutable and so can be constructed progressively by adding nodes, edges and labels to them. When a new graph is instantiated, an initial set of nodes, edges and labels can be defined. For example, Graph("u"->"l1","v"->"l2")("u"~~>"v") will create a graph with two nodes “u” and “v” with labels “l1” and “l2” respectively and an unlabelled edge from “u” to “v”. More specifically, the Graph constructor takes as a first set of parameters any number of nodes with an optional label each, indicated by an arrow (->). Then it takes a second set of parameters for edges and their optional labels in the same fashion. Note that some nodes and edges can be left unlabelled while others are labelled. For instance, the left-hand side of the first swap rule may be constructed by the following expression: Graph("u"->"red","v"->"blue","w")("u"~~>"v"). Whenever we want to create a Graph that does not have edges or nodes or labels, we must specify a type for them. Otherwise Scala’s type inference will assign them a Nothing type. There are 4 type parameters in total for Graph’s constructor: the node type, node label type, edge type, and edge label type. The first two are specified before the first set of parameters and the other two right before the second set of parameters, as in Graph[String,String]("u")[IdDiEdge[Int, String],String](). Repeating the type parameters again every time we would like to instantiate a Graph can rapidly become unwieldy and in models usually all Graphs will have the same type signature. For this reason the library let us create custom constructors with specific type parameters defined beforehand by using Graph’s withType method, e.g. val G = Graph.withType[String,String,IdDiEdge[Int,String],String] val oneNodeGraph = G("u")() 436 Computing approximations for graph transformation systems

2.2 Rules As mentioned earlier, rules are described by two graphs (L and R) and a pair of partial maps between them for nodes and edges. The library uses Scala’s Map to deﬁne the latter. Additionally, rules are equipped with a Rate, which are comprised of a name and a value and constructed as Rate(‘‘rate name’’, rateValue) with rateValue a Double, or implicitly from a String, as in the following example (with an implicit value of 1.0). Consider the ﬁrst swap rule in our example. One way to construct this rule would be: val lhs = Graph("u"->"red","v"->"blue","w")("u"~~>"v") val rhs = Graph("u"->"red","v"->"blue","w")("v"~~>"w") val swap0 = Rule(lhs, rhs, Map("u"->"u","v"->"v","w"->"w"), Map(), "k0")

Where "k0" is the name for the rate. In the generated ODEs it will appear by this name instead of its numerical value. This allows an easier interpretation of where the terms of each ODE come from. In the deﬁnition of this Rule all nodes are preserved while no edge is, since the partial map for edges is empty. Note that, when mapping edges, attention has to be paid to the ids of edges, not just their source and target. In our example, the ﬂip rule preserves the edge in its left-hand side and can be constructed using the following code: val e="u"~~>"v" val lhs = Graph("u"->"red","v"->"blue")(e) val rhs = Graph("u"->"red","v"->"red")(e) val flip0 = Rule(lhs, rhs, Map("u"->"u","v"->"v"), Map(e->e), "k01")

The complete code needed to deﬁne all rules can be found in Appendix A.

3 ODE generation

The ODE generation algorith depends heavily on a graph construction called minimal glueings in Ref. [3] and related to local co-products. This construction allows us to characterise all pair of matches of any two graphs onto a common target graph into a unique family among ﬁnitely many. Each family represents a way in which the two graphs can overlap. Intuitively, we use it to enumerate all possible ways in which the application of a rule could create or destroy instances of the desired observables. It is worth noting that, although ﬁnite, there may be exponentially many minimal glueings (i.e. families) for a pair of graphs! Call m(A,B) the set of minimal glueings of A and B. The algorithm proceeds as follows, given an observable G: 1) for each rule left-hand side L, compute m(G,L); 2) for each rule right-hand side R, compute m(G,R) and apply the inverse rule to each element of m(G,R) – call this set m0(G,R); 3) generate an ODE for [G] of the form:

d [G]= Â k Â [H] Â [F] dt (L*R,k) R H m (G,R) F m(G,L) ! 2 2 0 2 4) We repeat the procedure for the new observables [H] and [F]. V. Danos, T. Heindel, R. Honorato-Zimmer & S. Stucki 375

3.1 Equations We have just seen how to build ﬂip and swap rules and so we are ready to use our algorithm to obtain a system of differential equations that can describe the average count of an observable in time. To do this we use the generateMeanODEs method in moments. This method accepts 3 mandatory parameters, namely, the maximum number of ODEs to be discovered, a list of rules and a list of observables. Op- tionally we can provide so-called ‘transformers’ which are explained in the next section. As output, this method returns a list of equations. We can use ODEPrinter to print them to the standard output or to save them in an Octave script that will integrate the system of differential equations. To answer one of our initial questions about the model – namely how many red (or blue) nodes there are in the halted state – let us consider the following simple observable: a single red node. val redNode = G("u" -> "red")() val equations = meanfield.mfa(2, List(flip0,flip1,swap0r,swap0b,swap1r,swap1b), List(redNode)) Here we use the custom Graph constructor deﬁned above, G. To print these equations, we use ODEPrinter(equations).print. The output, rendered graphically, is:

d =(k k )( + ) (1) dt 10 01 d h i h i h i = k k + k + k (2) dt 10 01 10 01 h i h i h i h i h i k k + k + k 10 01 10 01 h i h i h i h i (k + k )( + + ) (k + k ) 10 01 1 0 h i h i h i h i If we were to ask for the ODEs of these observables, we would get bigger observables and from the ODEs of these even bigger observables in a process that would never terminate. However, we are interested in obtaining a system of differential equations that is closed. To this end, we have to make some approximations which can be integrated algorithmically by using ‘transformers’. The reader might wonder why the second ODE listed above has a term for the graph with a red and a blue node with two edges between them. This comes from the fact that whenever we apply a ﬂip to a pair of nodes that have more than one edge between them, more than one instance of the red-to-blue pattern is deleted at once. It is indeed sufﬁcient to look at each pair of multi-edges to account for all those deletions.

3.2 Transformers: approximations and simpliﬁcations A transformer is any function deﬁned on Graphs that returns a graph monomial or nothing (i.e. an Option[Mn[N,NL,E,EL]] with N, NL, E, and EL the Graph’s type parameters). A transformer is applied whenever a new observable is discovered by the ODE generation mechanism. If it returns a graph monomial, an algebraic (instead of differential) equation is generated for that observable, equating the observable to the returned monomial. Here is where the user is given the freedom to equate expressions that are not actually equal and thus introduce approximations. It is worth noting that in the abscence of transformers, all ODEs discovered by the algorithm are exact. If the transformer returns nothing, then the algorithm will compute an ODE for the observable (as long as the maximum number of ODEs to be generated hasn’t been reached). 638 Computing approximations for graph transformation systems

The ﬁrst transformer that we introduce in our example will help us to break down disconnected graph observables into their constituent connected components, keeping the size of some graph observables bounded. Formally, this amounts to say that the expected value of the ocurrence counts of a disconnected graph observable (given the time-dependent probability distribution p on the the state space), Ep([G]) with G = A + B + ... +C, is approximately E ([A]) E ([B]) ... E ([C]). This approximation is akin p · p · · p to that used in the theory of Petri nets for computing rate equations, e.g. that d E ([A]) = E ([2A]) dt p p ' E ([A])2 in the system comprised of the single reaction 2A 3A. It is based on the assumption of p ! independence between observables. In the following code snippets, we assume type N is String, E is IdDiEdge[Int,N], and NL, EL are any types. def splitConnectedComponents(g: Graph[N,NL,E,EL]): Option[Mn[N,NL,E,EL]] = if (g.isConnected) None else Some(Mn(g.components))

This is indeed a general transformation and thus it is supplied as part of the library. This transformer will return None when the graph is connected, meaning that connected graph observables will not be approximated by it. The second approximation introduced is the so-called “pair approximation”, which in the most general case entails approximating a mean ocurrence count of a graph G as the product of two overlapping subgraphs G ,G such that G G = G, divided by their intersection I, i.e. E ([G]) E ([G ])E ([G ])/ 1 2 1 [ 2 p ' p 1 p 2 Ep([I]). This approximation assumes conditional independence of the overlapping subgraphs. def pairApprox(g: Graph[N,NL,E,EL]): Option[Mn[N,NL,E,EL]] = if (g.nodes.size == 3 && g.edges.size == 2 && g.isConnected) { val List(e1, e2) = g.edges.toList val intersection = e1.nodes &~ (e1.nodes &~ e2.nodes) Mn(g.inducedSubgraph(e1.nodes)) * g.inducedSubgraph(e2.nodes) / g.inducedSubgraph(intersection) } else None

Where &~ is Scala’s set difference operator. The code presented here performs a “pair approximation” on graphs with 3 nodes and 2 edges like the ones obtained in Eq. 2, splitting them into two graphs with 2 nodes and 1 edge each, and the intersection being the node in the middle. Finally, the only observables left that blow up the expansion are the terms with multi-edges between two nodes. However, if the initial state is a sparse graph, a multi-edge is highly unlikely to ever occur. Hence we approximate this observable’s average ocurrence count as zero. def noParallelEdges(g: Graph[N,NL,E,EL]): Option[Mn[N,NL,E,EL]] = if (g.nodes.size == 2 && g.edges.size == 2) Some(Mn.zero) else None

4 Example results

In this section we show the results obtained from running the model in our example as presented in Appendix A. Please note that we have manually translated the textual output notation given by the tool V. Danos, T. Heindel, R. Honorato-Zimmer & S. Stucki 397 into the graphical notation used throughout this paper.

d =(k k )( + ) dt 10 01 d h i h i h i =(k k )( + ) dt 01 10 d h i h i h i = k / + k / dt 10 10 h i h ih i h i h ih i h i k / + k / 10 10 h ih i h i h ih i h i k / + k / 01 01 h ih i h i h ih i h i k / + k / 01 01 h ih i h i h ih i h i (k + k ) (k + k ) 10 01 1 0 d h i h ih i = k / + k / dt 10 10 h i h ih i h i h ih i h i k / + k / 10 10 h ih i h i h ih i h i k / + k / 01 01 h ih i h i h ih i h i k / + k / 01 01 h ih i h i h ih i h i (k + k ) (k k ) 10 01 1 0 d h i h ih i = 2k / 2k / dt 01 01 h i h ih i h i h ih i h i + 2k10 / + k10 / h ih i h i h ih i h i + k10 / + k10 + k10 d h ih i h i h i h i = 2k / 2k / dt 10 10 h i h ih i h i h ih i h i + 2k01 / + k01 / h ih i h i h ih i h i + k01 / + k01 + k01 d h ih i h i h i h i = 0 dt h i Note that the algorithm discovered that the number of nodes with any colour is invariant. By generating an Octave script using saveAsOctave method in ODEPrinter, the system of differential equations can be integrated numerically. In particular, the solution to the set of ODEs above has been computed and is shown in Fig. 1.

4.1 Variance and other moments

In addition to the mean number of red nodes (Ep([0])), we can compute what the variance of this number is by using the formula V([0]) = E ([0]2) E ([0])2. Minimal glueings let us express [0]2 as a sum of p p 840 Computing approximations for graph transformation systems

100

Ep([0]) Ep([01]) 80 Ep([00]) Ep([?])

40 Expected value

0 0 0.005 0.01 0.015 0.02 0.025 Time (arbitrary units)

Figure 1: Solution to the system of ordinary differential equations given the following initial conditions: [0]=50,[1]=50,[01]=50,[10]=50,[00]=50,[11]=50, and [?]=100 with ? the graph consisting of a single colourless node and rates k10 = 15, k01 = 0.1, k0 = 1, and k1 = 1.

2 observables: [0] =[0 + 0]+[0]. For this reason, we compute an ODE for Ep([0 + 0]) without using any transformers (splitConnectedComponents would transform [0 + 0] back into [0]2 and the other two are irrelevant in this case). d = 2(k k )( + )+2k ( + ) (3) dt 10 01 10 h i h i h i h i h i Formulas exist that relate the value of any moment to lower moments. Hence these higher moments can be computed in a similar fashion to the one shown here.

5 Related and future work

A complete list of related work is beyond the scope of the paper: We expect a large number of concrete models that have been studied extensively in application-specific, ad hoc terminology to be captured equally well by graph transformation. We refer the reader to Ref. [11] for a recent overview on dynamical systems on networks that are of particular interest to the authors and gives references for a relevant part of the immense body of literature; in particular, the type of approximations that we expect to be used as transformers in our tool are related to those listed under the heading of Mean-Field Theories, Pair Approximations, and Higher-Order Approximations in the latter work. A modelling formalism that is closely related to the algebraic approach to graph transformation are process calculi. Before we sketch possible future research on the connection to this field, especially recent work on stochastic process calculi such as [1], we point out some important differences. The V. Danos, T. Heindel, R. Honorato-Zimmer & S. Stucki 419 terminology of observable is inspired by (classical) physics, chemistry and biology. In particular, graph observables are a priori unrelated to the notion of observable actions from the process calculi literature and there is no direct link to observational equivalences; also, the relation to observability in control theory is unclear at best. Similarly, the question of whether it is suitable to consider a certain graph as observable cannot be answered from the set of rules and the initial state alone; it is necessary to have additional information from the specific application at hand. In examples from biology, such as protein translation as modelled by the TASEP (see Ref. [13] for a tutorial), a graph would be suitable for observation if the evolution of its mean occurrence counts would have a corresponding set of experiments that allow to falsify or validate the model. For the possible relations of the present paper to the process calculus literature that do exist, note first that rule applications of graph transformation correspond to single step reductions in process calculi. The ground-breaking observation of Leifer and Milner [9] was that one can automatically derive labelled transition systems from reduction semantics (for process calculi). This idea has been successfully transferred to graph transformation [6]. We plan to use techniques from Ref. [6] to canonically associate labelled Markov processes to graph transformation systems. We expect that analogues to the semantics of CCS as labelled Markov processes given in [1] can be derived without complications; moreover, the resulting labelled Markov processes might be meaningful for complex networks modelled by graph transformation (while we would be rather surprised if such interactive semantics have applications in biology or chemistry). In a slightly different direction and as a long term goal, we want to explore whether the data structures and operations on graphs that are implemented in the tool can be re-used for checking (approximate) stochastic bisimulation of graph transformation systems.

References

[1] Luca Cardelli & Radu Mardare (2014): The Measurable Space of Stochastic Processes. Fundam. In- form. 131(3-4), pp. 351–371, doi:10.3233/FI-2014-1019. Available at http://dx.doi.org/10.3233/ FI-2014-1019. [2] Andrea Corradini, Ugo Montanari, Francesca Rossi, Hartmut Ehrig, Reiko Heckel & Michael Lowe¨ (1997): Algebraic Approaches to Graph Transformation - Part I: Basic Concepts and Double Pushout Approach. In Rozenberg [12], pp. 163–246. [3] Vincent Danos, Tobias Heindel, Ricardo Honorato-Zimmer & Sandro Stucki (2014): Approximations for Stochastic Graph Rewriting. In: ICFEM, pp. 1–10, doi:10.1007/978-3-319-11737-9 1. Available at http: //dx.doi.org/10.1007/978-3-319-11737-9_1. [4] Richard Durrett, James P Gleeson, Alun L Lloyd, Peter J Mucha, Feng Shi, David Sivakoff, Joshua ES Socolar & Chris Varghese (2012): Graph ﬁssion in an evolving voter model. Proceedings of the National Academy of Sciences 109(10), pp. 3682–3687. [5] Hartmut Ehrig, Reiko Heckel, Martin Korff, Michael Lowe,¨ Leila Ribeiro, Annika Wagner & Andrea Corra- dini (1997): Algebraic Approaches to Graph Transformation - Part II: Single Pushout Approach and Com- parison with Double Pushout Approach. In Rozenberg [12], pp. 247–312. [6] Hartmut Ehrig & Barbara Konig¨ (2006): Deriving bisimulation congruences in the DPO approach to graph rewriting with borrowed contexts. Mathematical Structures in Computer Science 16(6), pp. 1133–1163, doi:10.1017/S096012950600569X. Available at http://dx.doi.org/10.1017/S096012950600569X. [7] Hartmut Ehrig, Michael Pfender & Hans Jurgen¨ Schneider (1973): Graph-Grammars: An Algebraic Ap- proach. In: 14th Annual Symposium on Switching and Automata Theory, Iowa City, Iowa, USA, Octo- ber 15-17, 1973, IEEE Computer Society, pp. 167–180, doi:10.1109/SWAT.1973.11. Available at http: //dx.doi.org/10.1109/SWAT.1973.11. 1042 Computing approximations for graph transformation systems

[8] Reiko Heckel, Georgios Lajios & Sebastian Menge (2006): Stochastic Graph Transformation Systems. Fundamenta Informaticae 74(1), pp. 63–84. Available at http://iospress.metapress.com/content/ c7ha18g96nbm7g2e/. [9] James J. Leifer & Robin Milner (2000): Deriving Bisimulation Congruences for Reactive Systems. In Catus- cia Palamidessi, editor: CONCUR 2000 - Concurrency Theory, 11th International Conference, University Park, PA, USA, August 22-25, 2000, Proceedings, Lecture Notes in Computer Science 1877, Springer, pp. 243–258, doi:10.1007/3-540-44618-4 19. Available at http://dx.doi.org/10.1007/3-540-44618-4_ 19. [10] Michael Lowe¨ (1993): Algebraic Approach to Single-Pushout Graph Transformation. Theor. Comput. Sci. 109(1&2), pp. 181–224, doi:10.1016/0304-3975(93)90068-5. Available at http://dx.doi.org/10.1016/ 0304-3975(93)90068-5. [11] Mason A. Porter & James P. Gleeson (2014): Dynamical Systems on Networks: A Tutorial. CoRR abs/1403.7663. Available at http://arxiv.org/abs/1403.7663. [12] Grzegorz Rozenberg, editor (1997): Handbook of Graph Grammars and Computing by Graph Transforma- tions, Volume 1: Foundations. World Scientiﬁc. [13] R.K.P. Zia, J.J. Dong & B. Schmittmann (2011): Modeling Translation in Protein Synthesis with TASEP: A Tutorial and Recent Developments. Journal of Statistical Physics 144(2), pp. 405–428, doi:10.1007/s10955- 011-0183-1. Available at http://dx.doi.org/10.1007/s10955-011-0183-1.

A Voter model import graph_rewriting._ import implicits._ import moments._ // this imports N=String and E=IdDiEdge[Int,N] type NL = String type EL = String val G = Graph.withType[N,NL,E,EL] // first flip val e="u"~~>"v" val rb = G("u"->"red","v"->"blue")(e) val br = G("u"->"blue","v"->"red")(e) val bb = G("u"->"blue","v"->"blue")(e) val flip0a = Rule(rb, bb, Map("u"->"u","v"->"v"), Map(e->e), "k01") val flip0b = Rule(br, bb, Map("u"->"u","v"->"v"), Map(e->e), "k01") // second flip val rr = G("u"->"red","v"->"red")(e) val flip1a = Rule(rb, rr, Map("u"->"u","v"->"v"), Map(e->e), "k10") val flip1b = Rule(br, rr, Map("u"->"u","v"->"v"), Map(e->e), "k10") // first swap (blue rewire) val rbw1 = G("u"->"red","v"->"blue","w")("u"~~>"v") val rbw2 = G("u"->"red","v"->"blue","w")("w"~~>"v") val swap0a = Rule(rbw1, rbw2, Map("u"->"u","v"->"v","w"->"w"), V. Danos, T. Heindel, R. Honorato-Zimmer & S. Stucki 1143

Map(), "k0") val brw1 = G("u"->"blue","v"->"red","w")("u"~~>"v") val brw2 = G("u"->"blue","v"->"red","w")("w"~~>"u") val swap0b = Rule(brw1, brw2, Map("u"->"u","v"->"v","w"->"w"), Map(), "k0") // second swap (red rewire) val rbw3 = G("u"->"red","v"->"blue","w")("w"~~>"u") val swap1a = Rule(rbw1, rbw3, Map("u"->"u","v"->"v","w"->"w"), Map(), "k1") val brw3 = G("u"->"blue","v"->"red","w")("w"~~>"v") val swap1b = Rule(brw1, brw3, Map("u"->"u","v"->"v","w"->"w"), Map(), "k1") def pairApproximation(g: Graph[N,NL,E,EL]): Option[Mn[N,NL,E,EL]] = if (g.nodes.size == 3 && g.edges.size == 2 && g.isConnected) { val List(e1, e2) = g.edges.toList val intersection = e1.nodes &~ (e1.nodes &~ e2.nodes) Mn(g.inducedSubgraph(e1.nodes)) * g.inducedSubgraph(e2.nodes) / g.inducedSubgraph(intersection) } else None def noParallelEdges(g: Graph[N,NL,E,EL]): Option[Mn[N,NL,E,EL]] = if (g.nodes.size == 2 && g.edges.size == 2) Some(Mn.zero) else None val redNode = G("u" -> "red")() val twoRedNodes = G("u" -> "red", "v" -> "red")() val odes = generateMeanODEs(10, List(flip0a,flip0b,flip1a,flip1b,swap0a,swap0b,swap1a,swap1b), List(redNode), splitConnectedComponents[N,NL,E,EL] _, pairApproximation _, noParallelEdges _) ODEPrinter(odes).print println() val varianceODE = generateMeanODEs(1, List(flip0a,flip0b,flip1a,flip1b,swap0a,swap0b,swap1a,swap1b), List(twoRedNodes)) ODEPrinter(varianceODE).print Modal Logics for Nominal Transition Systems

Joachim Parrow Johannes Borgstrom¨ Lars-Henrik Eriksson Ramunas¯ Gutkovas Tjark Weber

We deﬁne a uniform semantic substrate for a wide variety of process calculi where states and action labels can be from arbitrary nominal sets. A Hennessy-Milner logic for these systems is introduced, and proved adequate for bisimulation equivalence. We show how to treat different bisimulation variants such as early, late and open in a systematic way, and make substantial comparisons with related work. The main deﬁnitions and theorems have been formalized in Nominal Isabelle.

1 Introduction

Transition systems. Transition systems are ubiquitous in models of computing, and specifications to say what may and must happen during executions are often formulated in a modal logic. There is a plethora of different versions of both transition systems and logics, including a variety of higher-level constructs such as updatable data structures, new name generation, alias generation, dynamic topologies for parallel components etc. In this paper we formulate a general framework where such aspects can be treated uniformly, and define accompanying modal logics which are adequate for bisimulation. This is related to, but independent of, our earlier work on psi-calculi [4], which proposes a particular syntax for defining behaviours. The present paper does not depend on any such language, and provides general results for a large class of transition systems. In any transition system there is a set of states P,Q,... representing the configurations a system can reach, and a relation telling how a computation can move between them. Many formalisms, for example all process algebras, define languages for expressing states, but in the present paper we shall make no assumptions about any such syntax. In systems describing communicating parallel processes the transitions are labelled with actions a,b, representing the externally observable effect of the transition. A transition P a P thus says that in state ! 0 P the execution can progress to P0 while conducting the action a, which is visible to the rest of the world. For example, in CCS these actions are atomic and partitioned into output and input communications. In value-passing calculi the actions can be more complicated, consisting of a channel designation and a value from some data structure to be sent along that channel.

Scope openings. With the advent of the pi-calculus [19] an important aspect of transitions was introduced: that of name generation and scope opening. The main idea is that names (i.e., atomic identiﬁers) can be scoped to represent local resources. They can also be transmitted in actions, to give a parallel entity access to this resource. In the monadic pi-calculus such an action is written a(nb), to mean that the local name b is exported along the channel a. These names can be subjected to alpha-conversion: if a(nb) a(nc) P P and c is a fresh name then also P P c/b , where P c/b is P with all bs replaced by ! 0 ! 0{ } 0{ } 0 cs. Making this idea fully formal is not entirely trivial and many papers gloss over it. In the polyadic pi-calculus several names can be exported in one action, and in psi-calculi arbitrary data structures may contain local names. In this paper we make no assumptions about how actions are expressed, and just assume that for any action a there is a ﬁnite set of names bn(a), the binding names, representing exported

c Parrow, Borgstrom,¨ Eriksson, Gutkovas, Weber DRAFT May 18, 2015 This work is licensed under the Creative Commons Attribution-No Derivative Works License. 245 Modal Logics for Nominal Transition Systems names. In our formalization we use nominal sets, an attractive theory to reason about objects depending on names on a high level and in a fully rigorous way.

State predicates. The ﬁnal general components of our transition systems are the state predicates ranged over by j, representing what can be concluded in a given state. For example state predicates can be equality tests of expressions, or connectivity between communication channels. We write P j to mean ` that in state P the state predicate j holds. A structure with states, transitions and state predicates as discussed above we call a nominal transition system.

Hennessy-Milner Logic. Modal logic has been used since the 1970s to describe how facts evolve through computation. We use the popular and general branching time logic known as Hennessy-Milner Logic [15] (HML). Here the idea is that an action modality a expresses a possibility to perform an h i action a. If A is a formula then a A says that it is possible to perform a and reach a state where A h i holds. With conjunction and negation this gives a powerful logic shown to be adequate for bisimulation equivalence: two processes satisfy the same formulas exactly if they are bisimilar. In the general case, conjunction must take an infinite number of operands when the transition systems have states with an infinite number of outgoing transitions. The fully formal treatment of this requires care in ensuring that such infinite conjunctions do not exhaust all names, leaving none available for alpha-conversion. All previous works that have considered this issue properly have used uniformly bounded conjunction, i.e. the set of all names in all conjuncts is finite.

Contributions. Our definition of nominal transition systems is very general since we leave open what the states, transitions and predicates are. The only requirement is that transitions satisfy alpha-conversion. A technically important point is that we do not assume the usual name preservation principle, that if P a P ! 0 then the names occurring in P0 must be a subset of those occurring in P and a. This means that the results are applicable to a wide range of calculi. For example, the pi-calculus represents a trivial instance where there are no state predicates. CCS represent an even more trivial instance where bn always returns the empty set. In the fusion calculus and the applied pi-calculus the state contains an environmental part which tells what expressions are equal to what. In the general framework of psi-calculi the states are processes with assertions describing their environments. We define a modal logic with the a operator that binds the names in bn(a), and contains operators h i for state predicates. In this way we get a logic for an arbitrary nominal transition system such that logical equivalence coincides with bisimilarity. We also show how variants of the logic correspond to late, open and hyperbisimilarity in a uniform way. The main technical difficulty is to ensure that formulas and their alpha-equivalence classes throughout are finitely supported, i.e. only depend on a finite set of names, even in the presence of infinite conjunction. Instead of uniformly bounded conjunction we use the notion of finite support from nominal sets. This results in greater generality and expressiveness. For example, we can now define quantifiers and the next step modalities as derived operators.

Formalization. Our main definitions and theorems have been formalized in Nominal Isabelle [26]. This has required significant new ideas to represent data types with infinitary constructors like infinite conjunction and their alpha-equivalence classes. As a result we corrected several details in our formulations and proofs, and now have very high confidence in their correctness. The formalization effort has been substantial, but certainly less than half of the total effort, and we consider it a very worthwhile investment. Parrow, Borgstrom,¨ Eriksson, Gutkovas, Weber 463

Exposition. In the following section we provide the necessary background on nominal sets. In Section 3 we present our main definitions and results on nominal transition systems and modal logics. In Section 4 we derive useful operators such as quantifiers and fixpoints, and indicate some practical uses. Section 5 shows how to treat variants of bisimilarity such as late and open in a uniform way, and in Section 6 we compare with related work and demonstrate how our framework can be applied to recover earlier results uniformly. Finally Section 7 concludes with some remarks on the formalization in Nominal Isabelle. All proofs are relegated to the Appendix.

2 Background on nominal sets

Nominal sets [24] is a general theory of objects which depend on names, and in particular formulates the notion of alpha-equivalence when names can be bound. The reader need not know nominal set theory to follow this paper, but some key definitions will make it easier to appreciate our work and we recapitulate them here. We assume an infinitely countable multi-sorted set of atomic identifiers or names N ranged over by a,b,.... The permutations is the group of name permutations that leave all but finitely many names invariant. The singleton permutation which swaps names a and b and has no other effect is written (ab), and the identity permutation that swaps nothing is written id. Permutations are ranged over by p,p0. The effect of applying a permutation p to an object X is written p X. Formally, the permutation action can · · be any operation that satisfies id X = X and p (p X)=(p p ) X, but a reader may comfortably think · · 0 · 0 · of p X as the object obtained by permuting all names in X according to p. · A set of names N supports an object X if for all p that leave all members of N invariant it holds p X = X. In other words, a support N of X is such that names outside N do not matter to X. If X has a · finite support then it also has a unique minimal support, written supp(X), intuitively consisting of exactly the names that matter to X. As an example the set of names textually occurring in a datatype element is the support of that element, and the set of free names is the support of the alpha equivalence class of the element. Note that in general, the support of a set is not the same as the union of the support of its members. An example is the set of all names; each element has itself as support, but the whole set has empty support since any permutation of the set yields the same set. We write a#X, pronounced “a is fresh for X”, for a supp(X). The intuition is that if a#X then X 62 does not depend on a in the sense that a can be replaced with any fresh name without affecting X. If A is a set of names we write A#X for a A.a#X. 8 2 A nominal set S is a set with a permutation action such that X S p X S, and where each 2 ) · 2 member X S has finite support. A main point is that then each member has infinitely many fresh names 2 available for alpha-conversion. Similarly, a set of names N supports a function f on a nominal set if for all p that leave N invariant it holds p f (X)= f (p X), and similarly for relations and functions of higher · · arity. Thus we extend the notion of support to finitely supported functions and relations as the minimal finite support, and can derive general theorems such as supp( f (X)) supp( f ) supp(X). ✓ [ An object that has empty support we call equivariant. For example, a unary function f is equivariant if p f (X)= f (p X) for all p,X. The intuition is that an equivariant object does not treat any name · · special.

3 Nominal transition systems and Hennessy-Milner logic

Deﬁnition 1. A nominal transition system is characterized by the following 447 Modal Logics for Nominal Transition Systems

STATES: A nominal set of states ranged over by P,Q. • PRED: A nominal set of state predicates ranged over by j. • An equivariant binary relation on STATES and PRED. We write P j to mean that in state P • ` ` the state predicate j holds.

ACT: A nominal set of actions ranged over by a. • An equivariant function bn from ACT to finite sets of names, which for each a returns a subset of • supp(a), called the binding names. An equivariant transition relation on states and residuals. A residual is a pair of action and • !a state. For (P,(a,P0)) we write P P0. The transition relation must satisfy alpha-conversion of ! ! a (ab) a residuals: If a bn(a),b#a,P and P P then also P · (ab) P . 2 0 ! 0 ! · 0 Definition 2. A bisimulation R is a symmetric binary relation on states in a nominal transition system satisfying the following two criteria: R(P,Q) implies 1. Static implication:P j implies Q j. ` ` a a 2. Simulation: For all a,P such that bn(a)#Q there exist Q such that if P P then Q Q and 0 0 ! 0 ! 0 R(P0,Q0) We write P · Q to mean that there exists a bisimulation R such that R(P,Q). ⇠ Static implication means that bisimilar states must satisfy the same state predicates; this is reasonable since these can be tested by an observer. The simulation requirement is familiar from the pi-calculus. Proposition 3. · is an equivariant equivalence relation. ⇠ The minimal HML for nominal transition systems is the following. Definition 4. The nominal set of formulas A ranged over by A is defined by induction as follows:

A ::= Ai A j a A i I |¬ | | h i ^2 Support and name permutation are defined as usual (permutation distributes over all formula constructors). In i I Ai it is assumed that the indexing set I has bounded cardinality, by which we mean that 2 I k for some fixed infinite cardinal k at least as large as the cardinality of STATES, ACT and PRED. | |  V It is also required that Ai i I has finite support; this is then the support of the conjunction. Note that { } 2 this does not imply that each conjunct has that support, and that we do not require the support of the conjuncts to be uniformly bounded. Alpha-equivalent formulas are identified; the only binding construct is in a A where bn(a) binds into A. h i The validity of a formula A for a state P is written P = A and is defined by induction on A as follows. | Definition 5. P = i I Ai if for all i I it holds that P = Ai | 2 2 | P = A if not P = A | ¬V | P = j if P j | ` a P = a A if there exists P such that P P and P = A | h i 0 ! 0 0 | In the last clause we assume that a A is a representative of its alpha-equivalence class such that h i bn(a)#P. It is easy to show that = is an equivariant relation. | Parrow, Borgstrom,¨ Eriksson, Gutkovas, Weber 485

Definition 6. Two states P and Q are logically equivalent, written P =· Q, if for all A it holds that P = A | iff Q = A | Theorem 7. P · Q = P =· Q ⇠ ) The proof is by induction over formulas. The converse result uses the idea of distinguishing formulas. Definition 8. A distinguishing formula for P and Q is a formula A such that P = A and not Q = A. | | Note that if A is a distinguishing formula for P and Q then A is a distinguishing formula for Q and ¬ P. Thus P and Q are logically equivalent precisely if there is no distinguishing formula for P and Q. The following lemma says that we can find such a formula where, a bit surprisingly, the support does not depend on Q. Lemma 9. If A is a distinguishing formula for P and Q, then there exists a distinguishing formula B for P and Q such that supp(B) supp(P). ✓ The proof is by direct construction: in the terminology of Pitts [24, Ch. 5] B is the conjunction of hullsupp(P)A. Theorem 10. P =· Q = P · Q ) ⇠ Proof: We establish that =· is a bisimulation. The proof of the simulation property of Theorem 10 is different from earlier similar proofs. These use the name preservation property to show that =· restricted to states with a finite bound on the names is a bisimulation. This does not hold in the present paper; instead we use Lemma 9 to bound the support of distinguishing formulas.

4 Derived formulas

Dual connectives. We define logical disjunction i I Ai in the usual way as i I Ai, when the index- 2 ¬ 2 ¬ ing set I has bounded cardinality and Ai i I has finite support. A special case is I = 1,2 : we then { } 2 W V { } write A1 A2 instead of i I Ai, and dually for A1 A2. We write for the empty conjunction i /0 , and ^ 2 _ > 2 for . The must modality [a]A is defined as a A, and requires A to hold after every possible ? ¬> V ¬h i¬ V a-labelled transition from the current state. For example, [a](A B) is equivalent to [a]A [a]B, and ^ ^ dually a (A B) is equivalent to a A a B. h i _ h i _h i Quantifiers. Let S be any finitely supported set of bounded cardinality and use v to range over members v of S. Write A /x for the substitution of v for x in A, and assume this substitution function is equivariant. { } v Then we define x S.A as v S A /x . There is not necessarily a common finite support for the 8 2 2 { } formulas A v/ , for example if S is some term algebra over names, but the set A v/ : v S has { x} V { { x} 2 } finite support bounded by x supp(S) supp(A). In our examples in Section 6, substitution is defined { } [ [ inductively on the structure of formulas, based on primitive substitution functions for actions and state predicates, avoiding capture and preserving the binding names of actions. Existential quantification x S.A is defined as the dual x S. A. When X is a metavariable 9 2 ¬8 2 ¬ used to range over a nominal set X , we simply write X for “X X ”. As an example, a.A means that 2 8 the formula A n/ holds for all names n N . { a} 2 New name quantifier. The new name quantifier xN .A intuitively states that P = A n/ holds where n | { x} is a fresh name for P. For example, suppose we have actions of the form ab for input, and ab for output where a and b are free names, then the formula xN .[ax] bx expresses that whenever a process inputs a h i> fresh name x on channel a, it has to be able to output that name on channel b. If the name received is not 649 Modal Logics for Nominal Transition Systems fresh (i.e., already present in P) then P is not required to do anything. Therefore this formula is weaker than x.[ax] bx . 8 h i> To define this formally we use name permutation rather than substitution. Since A and P have finite support, if P =(xn) A holds for some n fresh for P, by equivariance it also holds for almost all n, | · i.e., all but finitely many n. Conversely, if it holds for almost all n, it must hold for some n#supp(P). Therefore N x is often pronounced “for almost all x”. In other words, P = xN .A holds if x P = A(x) | { | | } is a cofinite set of names [24, Definition 3.8]. Letting COF = S N N S is finite we thus encode { ✓ | \ } N x.A as S COF n S(xn) A. This formula states there is a cofinite set of names such that for all of them 2 2 · A holds. The support of n S(xn) A is bounded by (N S) supp(A) where S COF, and the support W V 2 · \ [ 2 of the encoding S COF n S(xn) A is bounded by supp(A). 2 V2 · W V Next step. We generalise the action modality to sets of actions in the following way. If T is a finitely supported set of actions such that bn(a)#A for all a T, we write T A for a T a A. The support 2 h i 2 h i of the set a A : a T is bounded by supp(T) supp(A) and thus finite. Dually, we write [T]A for {h i 2 } [ W T A, denoting that A holds after all transitions with actions in T. ¬h i¬ To encode the next-step modality, we let ACT = a : bn(a)#A . Noting that supp(ACT ) supp(A) A { } A ✓ is finite, we write A for ACT A, meaning that we can make some (non-capturing) transition to a state hi h Ai where A holds. As an example, means that the current state is not deadlocked. The dual modality hi> []A = A means that A holds after every transition from the current state. Larsen [17] uses the same ¬hi¬ approach to define next-step operators in HML, though his version is less expressive since he uses a finite action set to define the next-step modality.

Fixpoints. Fixpoint operators are a way to introduce recursion into a logic. For example, they can be used to concisely express safety and liveness properties of a transition system, where by safety we mean that some invariant holds for all reachable states, and by liveness that some property will eventually hold. Kozen (1983) [16] introduced the least (µX.A) and the greatest (nX.A) fixpoints in modal logic. Intuitively, the least fixpoint states a property that holds for states of a finite path, while the greatest holds for states of an infinite path. Theorem 11. The least and greatest fixpoint operators are expressible in our HML. For the full proofs and definitions, see the appendix. The idea is to start with an extended language with the forms µX.A and X, where X ranges over a countable set of variables and all occurrences of X in A are in the scope of an even number of negations. Write A(B) for the capture-avoiding substitution of B for X in A, and let A0(B)=B and Ai+1(B)=A(Ai(B)). Then the encoding of a least fixpoint i µX.A is i N A ( ), given that fixpoints have been recursively expanded in A. The disjunction has finite 2 ? (A) support suppW , since substitution is equivariant. When interpreting formulas as elements of the power- set lattice of STATES, this encoding yields a fixpoint of A( ): the sequence of formulas Ai( ) yields · ? an approximation from below. We define the greatest fixpoint operator nX.A in terms of the least as µX. A( X). ¬ ¬ ¬ Using the greatest fixpoint operator we can state global invariants: nX.[a]X A expresses that A ^ holds along all paths labelled with a. Temporal operators such as eventually can also be encoded using the least fixpoint operator: the formula µX. a X A states that eventually A holds along some path h i _ labelled with a. We can freely mix the fixpoint operators to obtain formulas like nX.[a]X (µY. b Y ^ h i _ A) which means that for each state along any path labelled with a, a state where A holds is reachable along a path labelled with b. Formulas with mixed fixpoint combinators are very expressive, and with the next operator they can encode the branching-time logic CTL⇤ [11]. Parrow, Borgstrom,¨ Eriksson, Gutkovas, Weber 507

5 Logics for variants of bisimilarity

The bisimilarity of Section 3 is of the early kind: any substitutive effect of an input (typically replacing a variable with the value received) must have manifested already in the action corresponding to the input, since we apply no substitution to the target state. Alternative treatments of substitutions include late-, open- and hyperbisimilarity, where the input action instead contains the variable to be replaced, and there are different ways to make sure that bisimulations are preserved by relevant substitutions. In our definition of nominal transition systems there are no particular input variables in the states or in the actions, and thus no a priori concept of “substitution”. We therefore choose to formulate the alternatives using so called effect functions. An effect is simply a finitely supported function from states to states. For example, in the monadic pi-calculus the effects would be the functions replacing one name by another. In a value-passing calculus the effects would be substitutions of values for variables. In the psi-calculi framework the effects would be sequences of parallel substitutions. Our definitions and results are applicable to any of these; our only requirement is that the effects form a nominal set which we designate by F . Variants of bisimilarity then correspond to requiring continuation after various effects. For example, if the action contains an input variable x then the effects appropriate for late bisimilarity would be substitutions for x. We will formulate these variants as F/L-bisimilarity, where F (for first) represents the set of effects that must be observed before following a transition, and L (for later) is a function that represents how this set F changes depending on the action of a transition, i.e., L(a,F) is the set of effects that must follow the action a if the previous effect set was F. In the following let Pfs(F ) ranged over by F be the finitely supported subsets of F , and L range over equivariant functions from actions and Pfs(F ) to Pfs(F ). Definition 12. An L-bisimulation where L : ACT P (F ) P (F ) is a P (F )-indexed family of ⇥ fs ! fs fs symmetric binary relations on states satisfying the following: If RF (P,Q) then: 1. Static implication: for all f F it holds that f (P) j implies f (Q) j. 2 ` ` 2. Simulation: For all f F and a,P such that bn(a)# f (Q) there exist Q such that 2 0 0 if f (P) a P then f (Q) a Q and R (P ,Q ) ! 0 ! 0 L(a,F) 0 0 F/L We write P Q, called F/L-bisimilarity, to mean that there exists an L-bisimulation R such that ⇠ RF (P,Q).

Most strong bisimulation varieties can be formulated as F/L-bismilarity. Write idSTATES for the identity function on states, ID for the singleton set id and all for the constant function { STATES} ID l(a,F).ID. Early bisimilarity, precisely as deﬁned in Deﬁnition 2, is ID/all -bisimilarity. • ID Early equivalence, i.e. early bisimilarity under all possible effects, is F /all -bisimilarity. • ID Late bisimilarity is ID/L-bisimilarity, where L(a,F) yields the effects that represent substitutions • for variables in input actions a (and ID for other actions). Late equivalence is similarly F /L-bisimilarity. • Open bisimilarity is F /L-bisimilarity where L(a,F) is the set F minus all effects that change • bound output names in a. 851 Modal Logics for Nominal Transition Systems

Hyperbisimilarity is F /l(a,F).F -bisimilarity. • All of the above are generalizations of known and well-studied definitions. The original value- passing variant of CCS [18] uses early bisimilarity. The original bisimilarity for the pi-calculus is of the late kind [19], where it also was noted that late equivalence is the corresponding congruence. Early bisimilarity and equivalence and open bisimilarity for the pi-calculus were introduced in 1993 [20, 25], and hyperbisimilarity for the fusion calculus in 1998 [22]. In view of this we only need to provide a modal logic adequate for F/L-bisimilarity; it can then immediately be specialized to all of the above variants. For this we introduce a new kind of logical operator as follows. Definition 13. For each f F the logical unary effect consequence operator f has the definition 2 h i P = f A if f (P) = A | h i | Thus the formula f A means that A holds if the effect f is applied to the state. Note that by definition h i this distributes over conjunction and negation, e.g. P = f A iff P = f A iff not f (P) = A etc. The | ¬h i | h i¬ | effect consequence operator is similar in spirit to the action modalities: both f A and a A assert that h i h i something (an effect or action) must be possible and that A holds afterwards. Indeed, effects can be viewed as a special case of transitions (as formalised in Definition 17 below) which is why we give the operators a common syntactic appearance. Now define the formulas that can directly use effects from F and after actions use effects according to L, ranged over by AF/L, in the following way: Definition 14. Given L as in Definition 12, for all F P (F ) define A F/L as the set of formulas given 2 fs by the mutually recursive definitions:

F/L F/L F/L L(a,F)/L A ::= Ai A f j f a A i I |¬ | h i | h ih i ^2 where we require f F and that the conjunction has bounded cardinality and ﬁnite support. 2 F/L Let P = Q mean that P and Q satisfy the same formulas in A F/L. F/L F/L Theorem 15. P Q P = Q ⇠ , Proof: The direction is a generalization of Theorem 7. The other direction is a generalization of )F/L Theorem 10: we prove that = is an F/L-bisimulation. It needs a variant of Lemma 9: Lemma 16. If A A F/L is a distinguishing formula for P and Q, then there exists a distinguishing 2 formula B A F/L for P and Q such that supp(B) supp(P,F). 2 ✓ The proof is an easy generalisation of Lemma 9. An alternative to the effect consequence operators is to transform the transition system such that standard (early) bisimulation on the transforms coincides with F/L-bisimilarity. The idea is to let the f effect function be part of the transition relation, thus f (P)=P becomes P P . 0 ! 0 Deﬁnition 17. Assume F and L as above. The L-transform of a nominal transition system T is a nominal transition system where: The states are of the form AC(F, f (P)) and EF(F,P), for f F P (F ) and states P of T. The • 2 2 fs intuition is that states of kind AC can perform ordinary actions, and states of kind EF can commit effects. Parrow, Borgstrom,¨ Eriksson, Gutkovas, Weber 529

The state predicates are those of T. • AC(F,P) j if in T it holds P j, and EF(F,P) j never holds. • ` ` ` The actions are the actions of T and the effects in F . • bn is as in T, and additionally bn( f )=/0 for f F . • 2 a a The transitions are of two kinds. If in T it holds P P0, then there is a transition AC(F,P) • ! f ! EF(L(a,F),P ). And for each f F it holds EF(F,P) AC(F, f (P)). 0 2 ! F/L Theorem 18. P Q in T if and only if EF(F,P) · EF(F,Q) in the L-transform of T. ⇠ ⇠ The proof idea is that from an F/L-bisimulation in T it is easy to construct an (ordinary) bisimulation F/L in the L-transform of T, and vice versa. A direct consequence is that P Q iff EF(F,P) =· EF(F,Q) in ⇠ the L-transform of T. Here the actions in the logic would include effects f F . 2

6 Related work and examples

HML for CCS. The first published HML is Hennessy and Milner (1985) [15]. They use finite (binary) conjunction with the assumption of image-finiteness for ordinary CCS. The same goes for the value- passing calculus and logic by Hennessy and Liu (1995) [14], where image-finiteness is due to a late semantics and the logic contains quantification over data values. A similar idea and argument is in a logic for LOTOS by Calder et al. (2002) [8], though that only considers stratified bisimilarity up to w. Hennessy and Liu’s value-passing calculus is based on abstractions (x)P and concretions (v,P) where v is drawn from a set of values. To encode their logic in ours, we add effects idSTATES and ?v, with !v ?v((x)P)=P v/ , and transitions (v,P) P. Letting L(a?, )= ?v : v values and L(a, )= { x} ! { 2 } id otherwise, late bisimilarity is id /L-bisimilarity as defined in Section 5. We can { STATES} { STATES} then encode their universal quantifier x.A as ?v A v/ , which has support supp(A) x , and their 8 vh i { x} \{ } output modality c!x A as c! !v A v/ , with support c (supp(A) x ). h i h i vh i { x} V { } [ \{ } An infinitary HML for CCSW is discussed in Milner’s book (1989) [18], where also the process syntax contains infinite summation. There are no restrictions on the indexing sets and no discussion about how this can exhaust all names. The adequacy theorem is proved by stratifying bisimilarity and using transfinite induction over all ordinals, where the successor step basically is the contraposition of the argument in Theorem 10, though without any consideration of finite support. A more rigorous treatment of the same ideas is by Abramsky (1991) [3] where uniformly bounded conjunction is used throughout.

Pi-calculus. The first HML for the pi-calculus is by Milner et al. (1993) [20], where infinite conjunction is used in the early semantics and conjunctions are restricted to use a finite set of free names. The adequacy proof is of the same structure as in this paper. The logic defined in this paper, applied to the pi-calculus transition system omitting bound input actions x(y), contains the logic F of Milner et al., or the equipotent logic FM if we take the set of name matchings [a = b] as state predicates.

Spi Calculus. Frendrup et al. (2002) [12] provide three Hennessy-Milner logics for the spi calculus [2]. The action modalities in Frendrup’s logic only uses parts of the labels: on process output, the modality a tests only the channel used. On process input, the modality ax describes how the observer s h i h i computed the received message M = e(xs), where x is an expression that may contain decryptions and projections, and supp(x) dom(s) is fresh for P and s. Simplifying the labels of the transition \ 1053 Modal Logics for Nominal Transition Systems system to t and the aforementioned a and ax labels, our minimal HML applied to the particular nominal transition system of the spi calculus coincides with the logic F of Frendrup et al, although the latter uses infinite conjunction without any mechanism to prevent formulas from exhausting all names, leaving none available for alpha-conversion. Thus their notion of substitution is not formally well defined. Their logic EM replaces the simple input modality by an early input modality a(x) E A, which h i (after a minor manipulation of the input labels) can be encoded as the conjunction ax A x/ , which x h i { x} has support supp(A) x . We do not consider their logic LM that uses a late input modality, since its \{ } V application relies on sets that do not have finite support [12, Theorem 6.12], which are not meaningful in nominal logic.

Applied Pi-calculus. A more recent work is a logic by Pedersen (2006) [23] for the applied pi-calculus [1], where the adequacy theorem uses image-finiteness of the semantics in the contradiction argument. The logic contains atomic formulae for equality in the frame of a process, corresponding to our state predicates. The main difference to our logic is an early input modality and a quantifier x. 9 Their early input modality a(x) A can be straightforwardly encoded as the conjunction aM A M/ , h i Mh i { x} with support a (supp(A) x ). For the existential quantifier, there is a requirement that the received { }[ \{ } V term M can be computed from the current knowledge available to an observer of the process, which M/x we here write M S (P). We add actions M/x with bn(M/x)=x and transitions P P M/ if 2 ! |{ x} M S (P) and x#P. We can then encode x.A as M/x A, which has support supp(A) x . 2 9 Mh i \{ } W Fusion calculus. In a HML for the fusion calculus by Haugstad et al. (2006) [13] the fusions (i.e., equality relations on names) are action labels j. The corresponding modal operator j A has the se- h i mantics that the formula A must be satisfied for all substitutive effects of j (intuitively, substitutions that map each name to a fixed representative for its equivalence class). The adequacy theorem uses the contradiction argument with infinite conjunction, with no argument about finiteness of names for the distinguishing formula. This HML can be encoded in our framework by making the substitutive effects of fusion actions visible in the transition system.

Concurrent constraint pi calculus. The concurrent constraint pi calculus (CC-pi) by Buscemi and Montanari (2007) [6] extends the explicit fusion calculus [27] with a more general notion of constraint stores c. The reference equivalence for CC-pi is open bisimulation [7] (closely corresponding to hyper- bisimulation in the fusion calculus [22]), which differs from labelled bisimulation in two ways: First, two equivalent processes must be equivalent under all store extensions. To encode this, we let the effects F be the set of constraint stores c different from 0, and let c(P)=c P. Second, when simulating a labelled | b transition P a P , the simulating process Q can use any transition Q Q with an equivalent label, as ! 0 ! 0 given by a state predicate a = b. As an example, if a = a x is a free output label then P a = b h i ` iff b = b y where P a = b and P x = y. To encode this, we transform the labels of the transition h i ` ` a [a]P system by replacing them with their equivalence classes, i.e., P P becomes P P where b [a] ! 0 ! 0 2 P iff P b = a. Hyperbisimilarity (Deﬁnition 12) on this transition system then corresponds to open ` bisimilarity, and the modal logic deﬁned in Section 5 is adequate.

Nominal transition systems. De Nicola and Loreti (2008) [10] define a general format for nominal transition systems and an associated modal logic, that is adequate for image-finite transition systems only and uses several different modalities for name revelation and resource consumption. In contrast, we seek a small and expressive HML for general nominal transition systems. Indeed, the logic of De Nicola Parrow, Borgstrom,¨ Eriksson, Gutkovas, Weber 1154 and Loreto can be seen as a special case of ours: their different transition systems can be merged into a single one, and we can encode their quantifiers and fixpoint operator as described in Section 4. Nominal SOS of Cimini et al. (2012) [9] is also a special case of nominal transition systems.

a Psi-calculi. In psi-calculi by Bengtson et al (2011) [4], the labelled transitions take the form Y . P P0, ! where the assertion environment Y is unchanged after the step. We model this as a nominal transition system by letting the set of states be pairs (Y,P) of assertion environments and processes, and define a a the transition relation by (Y,P) (Y,P ) if Y . P P . The notion of bisimulation used with psi- ! 0 ! 0 calculi also uses an assertion environment and is required to be closed under environment extension, i.e., if Y . P Q, then Y Y . P Q for all Y . We let the effects F be the set of assertions, and ⇠ ⌦ 0 ⇠ 0 define Y((Y ,P)) = (Y Y ,P). Hyperbisimilarity on this transition system then subsumes the standard 0 ⌦ 0 psi-calculi bisimilarity, and the modal logic defined in Section 5 is adequate.

7 Conclusion

We have given a general account of transition systems and Hennessy-Milner Logic using nominal sets. The advantage of our approach is that it is more expressive than previous work. We allow infinite conjunctions that are not uniformly bounded, meaning that we can encode e.g. quantifiers and the next-step operator. We have given ample examples of how the definition captures different variants of bisimilarity and how it relates to many different versions of HML in the literature. We have formalized the results of Section 3, including Theorems 7 and 10, using Nominal Is- abelle [26].1 Nominal Isabelle is an implementation of nominal logic in Isabelle/HOL [21], a popular interactive proof assistant for higher-order logic. It adds convenient specification mechanisms for, and automation to reason about, datatypes with binders. However, Nominal Isabelle does not directly support infinitely branching datatypes. Therefore, the mechanization of formulas (Definition 4) was challenging. We construct formulas from first principles in higher-order logic, by defining an inductive datatype of raw formulas (where alpha-equivalent raw formulas are not identified). The datatype constructor for conjunction recurses through sets of raw formulas of bounded cardinality, a feature made possible only by a recent re-implementation of Isabelle/HOL’s datatype package [5]. We then define alpha-equivalence of raw formulas. For finitely branching datatypes, alpha-equivalence is based on a notion of free variables. Here, to obtain the correct notion of free variables of a conjunction, we define alpha-equivalence and free variables via mutual recursion. This necessitates a fairly involved termination proof. (All recursive functions in Isabelle/HOL must be terminating.) To obtain formulas, we quotient raw formulas by alpha-equivalence, and finally carve out the subtype of all terms that can be constructed from finitely supported ones. We then prove important lemmas; for instance, a strong induction principle for formulas that allows the bound names in a A to be chosen fresh for any finitely h i supported context. Our development, which in total consists of about 2700 lines of Isabelle definitions and proofs, generalizes the constructions that Nominal Isabelle performs for finitely branching datatypes to a type with infinite branching. To our knowledge, this is the first mechanization of an infinitely branching nominal datatype in a proof assistant.

1Our Isabelle theories are available at https://github.com/tjark/ML-for-NTS. 1255 Modal Logics for Nominal Transition Systems

Acknowledgements

We thank Andrew Pitts for enlightening discussions on nominal datatypes with inﬁnitary constructors, and Dmitriy Traytel for providing a formalization of cardinality-bounded sets.

References

[1] Mart´ın Abadi & Cedric´ Fournet (2001): Mobile Values, New Names, and Secure Communication. In: Pro- ceedings of POPL ’01, ACM, pp. 104–115. [2] Mart´ın Abadi & Andrew D. Gordon (1999): A Calculus for Cryptographic Protocols: The Spi Calculus. Journal of Information and Computation 148(1), pp. 1–70. [3] Samson Abramsky (1991): A Domain Equation for Bisimulation. Journal of Information and Computa- tion 92(2), pp. 161–218, doi:10.1006/inco.1991.9999. Available at http://dx.doi.org/10.1006/inco. 1991.9999. [4] Jesper Bengtson, Magnus Johansson, Joachim Parrow & Bjorn¨ Victor (2011): Psi-calculi: a framework for mobile processes with nominal data and logic. Logical Methods in Computer Science 7(1), doi:10.2168/LMCS-7(1:11)2011. Available at http://dx.doi.org/10.2168/LMCS-7(1:11)2011. [5] Jasmin Christian Blanchette, Johannes Holzl,¨ Andreas Lochbihler, Lorenz Panny, Andrei Popescu & Dmitriy Traytel (2014): Truly Modular (Co)datatypes for Isabelle/HOL. In Gerwin Klein & Ruben Gamboa, editors: Proceedings of ITP 2014, LNCS 8558, Springer, pp. 93–110, doi:10.1007/978-3-319-08970-6 7. Available at http://dx.doi.org/10.1007/978-3-319-08970-6_7. [6] Maria Grazia Buscemi & Ugo Montanari (2007): CC-Pi: A Constraint-Based Language for Specifying Ser- vice Level Agreements. In Rocco De Nicola, editor: Proceedings of ESOP 2007, LNCS 4421, Springer, pp. 18–32. [7] Maria Grazia Buscemi & Ugo Montanari (2008): Open Bisimulation for the Concurrent Constraint Pi- Calculus. In Sophia Drossopoulou, editor: Proceedings of ESOP 2008, LNCS 4960, Springer, pp. 254–268, doi:10.1007/978-3-540-78739-6 20. Available at http://dx.doi.org/10.1007/978-3-540-78739-6_ 20. [8] Muffy Calder, Savi Maharaj & Carron Shankland (2002): A modal logic for full LOTOS based on symbolic transition systems. The Computer Journal 45(1), pp. 55–61. [9] Matteo Cimini, Mohammad Reza Mousavi, Michel A. Reniers & Murdoch J. Gabbay (2012): Nominal SOS. Electron. Notes Theor. Comput. Sci. 286, pp. 103–116, doi:10.1016/j.entcs.2012.08.008. Available at http://dx.doi.org/10.1016/j.entcs.2012.08.008. [10] Rocco De Nicola & Michele Loreti (2008): Multiple-Labelled Transition Systems for nominal calculi and their logics. Mathematical Structures in Computer Science 18(1), pp. 107–143, doi:10.1017/S0960129507006585. Available at http://dx.doi.org/10.1017/S0960129507006585. [11] E. Allen Emerson (1997): Model checking and the Mu-calculus. In: DIMACS Series in Discrete Mathemat- ics, American Mathematical Society, pp. 185–214. [12] Ulrik Frendrup, Hans Huttel¨ & Jesper Nyholm Jensen (2002): Modal Logics for Cryptographic Processes. Electr. Notes Theor. Comput. Sci. 68(2), pp. 124–141. Available at http://dx.doi.org/10.1016/ S1571-0661(05)80368-8. [13] Arild Martin Møller Haugstad, Anders Franz Terkelsen & Thomas Vindum (2006): A Modal Logic for the Fusion Calculus. Unpublished, University of Aalborg. [14] M. Hennessy & X. Liu (1995): A modal logic for message passing processes. Acta Informatica 32(4), pp. 375–393, doi:10.1007/BF01178384. Available at http://dx.doi.org/10.1007/BF01178384. [15] Matthew Hennessy & Robin Milner (1985): Algebraic Laws for Nondeterminism and Concurrency. J. ACM 32(1), pp. 137–161. Available at http://doi.acm.org/10.1145/2455.2460. Parrow, Borgstrom,¨ Eriksson, Gutkovas, Weber 1356

[16] Dexter Kozen (1983): Results on the propositional mu-calculus. Theoretical Computer Science 27(3), pp. 333 – 354, doi:http://dx.doi.org/10.1016/0304-3975(82)90125-6. Available at http://www.sciencedirect. com/science/article/pii/0304397582901256. Special Issue Ninth International Colloquium on Au- tomata, Languages and Programming (ICALP) Aarhus, Summer 1982. [17] Kim G. Larsen (1988): Proof systems for Hennessy-Milner Logic with recursion. In M. Dauchet & M. Nivat, editors: Proceedings of CAAP ’88, LNCS 299, Springer, pp. 215–230, doi:10.1007/BFb0026106. Available at http://dx.doi.org/10.1007/BFb0026106. [18] Robin Milner (1989): Communication and Concurrency. Prentice Hall. [19] Robin Milner, Joachim Parrow & David Walker (1992): A Calculus of Mobile Processes, I. Inf. Com- put. 100(1), pp. 1–40, doi:10.1016/0890-5401(92)90008-4. Available at http://dx.doi.org/10.1016/ 0890-5401(92)90008-4. [20] Robin Milner, Joachim Parrow & David Walker (1993): Modal logics for mobile processes. Theoretical Computer Science 114(1), pp. 149 – 171, doi:10.1016/0304-3975(93)90156-N. Available at http://www. sciencedirect.com/science/article/pii/030439759390156N. [21] Tobias Nipkow, Lawrence C. Paulson & Markus Wenzel (2002): Isabelle/HOL - A Proof Assistant for Higher- Order Logic. LNCS 2283, Springer, doi:10.1007/3-540-45949-9. Available at http://dx.doi.org/10. 1007/3-540-45949-9. [22] Joachim Parrow & Bjorn¨ Victor (1998): The Fusion Calculus: Expressiveness and Symmetry in Mobile Processes. In: Proceedings of LICS 1998, pp. 176–185, doi:10.1109/LICS.1998.705654. Available at http: //dx.doi.org/10.1109/LICS.1998.705654. [23] Michael Pedersen (2006): Logics for the Applied pi calculus. Master’s thesis, Aalborg University. BRICS RS-06-19. [24] Andrew M. Pitts (2013): Nominal Sets. Cambridge University Press. Available at http://dx.doi.org/ 10.1017/CBO9781139084673. Cambridge Books Online. [25] Davide Sangiorgi (1993): A theory of bisimulation for the p-calculus. In Eike Best, editor: Proceedings of CONCUR ’93, LNCS 715, Springer, pp. 127–142, doi:10.1007/3-540-57208-2 10. Available at http: //dx.doi.org/10.1007/3-540-57208-2_10. [26] Christian Urban & Cezary Kaliszyk (2012): General Bindings and Alpha-Equivalence in Nominal Isabelle. Logical Methods in Computer Science 8(2), doi:10.2168/LMCS-8(2:14)2012. Available at http://dx. doi.org/10.2168/LMCS-8(2:14)2012. [27] Lucian Wischik & Philippa Gardner (2005): Explicit fusions. Theoretical Computer Science 304(3), pp. 606–630.

A Appendix: Proofs

Proofs from Section 3

Proposition 3 · is an equivariant equivalence relation. ⇠ Proof: The proof has been formalized in Isabelle. Equivariance is a simple calculation, based on the observation that if R is a bisimulation, then p R is a bisimulation. To prove reflexivity of · , we note that · ⇠ equality is a bisimulation. Symmetry is immediate from Def. 2. To prove transitivity, we show that the composition of · with itself is a bisimulation; the simulation requirement is proved by a considering an ⇠ a alpha-variant of P P where bn(a) is fresh for Q. ! 0 Lemma 19. = is equivariant. | Proof: By the Equivariance Principle in Pitts (2013) [24, page 21]. A more detailed proof that verifies P = A p P = p A for any permutation p has been formalized in Isabelle. The proof proceeds | () · | · 1457 Modal Logics for Nominal Transition Systems by structural induction on A, using equivariance of all involved relations. For the case a A in particular, h i we use the fact that if a A = a A, then p a (p A )= p a (p A). h 0i 0 h i h · 0i · 0 h · i · Theorem 7 P · Q = P =· Q ⇠ ) Proof: The proof has been formalized in Isabelle. Assume P · Q. We show P = A Q = A by ⇠ | () | structural induction on A. 1. Base case: A = j. Then P = A P j Q j Q = A by static implication and | () ` () ` () | symmetry of · . ⇠ 2. Inductive steps i I Ai and A: immediate by induction. 2 ¬ a 3. Inductive step Va A: Assume P = a A. Then for some alpha-variant a A = a A, P .P 0 h i | h i h 0i 0 h i 9 0 ! P0 and P0 = A0. Without loss of generality we assume also bn(a0)#Q, otherwise just find an alpha- | a variant of a A where this holds. Then by simulation Q .Q 0 Q and P · Q . By induction h 0i 0 9 0 ! 0 0 ⇠ 0 and P = A we get Q = A , whence by definition Q = a A. The proof of Q = a A = 0 | 0 0 | 0 | h i | h i ) P = a A is symmetric, using the fact that P · Q entails Q · P. | h i ⇠ ⇠ Lemma 9 If A is a distinguishing formula for P and Q, then there exists a distinguishing formula B for P and Q such that supp(B) supp(P). ✓ Proof: The proof has been formalized in Isabelle. We use the fact that a conjunction is well-formed if the set of conjuncts has finite support—this is much more liberal than that each conjunct has the same finite support. Assume P = A and not Q = A. Let S be the group of name permutations of names outside | | supp(P) and let B be the S-orbit of A, i.e.,

B = p A p S { · | 2 } Clearly p B = B for all p S, thus supp(B) supp(P), which means that the formula B = B is 0 · 0 2 ✓ well-formed and supp(B) supp(P). By equivariance, if P = A and p S then also P = p A. Therefore ✓ | 2 | · V P = B. Furthermore, since the identity permutation is in S and not Q = A we get not Q = B. | | | Theorem 10 P =· Q = P · Q ) ⇠ Proof: The proof has been formalized in Isabelle. We establish that =· is a bisimulation. Obviously it is symmetric. So assume P =· Q, we need to prove the two requirements on a bisimulation. 1. Static implication. P j iff P = j iff Q = j iff Q j. ` | | ` 2. Simulation. The proof is by contradiction. Assume that =· does not satisfy the simulation re- a quirement. Then there exist P,Q,P0,a with bn(a)#Q such that P =· Q and P P0 and, letting a ! Q = Q Q Q , for all Q Q it holds that P =· Q . Assume bn(a)#P, othertwise just ﬁnd an { 0 | ! 0} 0 2 0 6 0 alpha-variant of the transition satisfying this. By P =· Q , for all Q Q there exists a distinguish- 0 6 0 0 2 ing formula for P0 and Q0. The formula may depend on Q0, and by Lemma 9 we can ﬁnd such a distinguishing formula B for P and Q with supp(B ) supp(P ). Therefore the formula Q0 0 0 Q0 ✓ 0

B = BQ0 Q Q ^02 is well-formed with support included in supp(P ). We thus get that P = a B but not Q = a B, 0 | h i | h i contradicting P =· Q. Parrow, Borgstrom,¨ Eriksson, Gutkovas, Weber 1558

Proofs from Section 4 on fixpoint operators Definition 20. We extend the nominal set of formulas with the least fixpoint operator:

A ::= Ai A j a A X µX.A i I |¬ | | h i | | ^2 where X is ranges over a countable set of equivariant variables. We require that all occurrences of a variable X in a formula µX.A are in the scope of an even number of negations. We use a capture-avoiding substitution function on formulas [A/X] that substitutes A for the variable X. In particular, ( a B)[A/X]= a (B[A/X]) when bn(a) is fresh for A. h i h i To encode the fixpoint operators, we first give a semantics to formulas (including fixpoints) as sets of states. Definition 21. A valuation function e is a map from variables to finitely supported sets of states, such that e(X) is the empty set for all but finitely many X. We define the interpretation function as follows:

i I Ai e = i I Ai e 2 2 A = STATES A V ¬ e T e J jKe = P PJ K j { | ` }a aJ AKe = P P0 .PJ K P0 and P0 A e h Ji K | 9 ! 2 X e = ne(X) o J K J K µX.A e = S Pfs(STATES) A e[X S] S J K 2 | 7! ✓ Tn o Note that is equivariant, so the intersections defining i I Ai e and µX.A e are finitely supported. · · J K 2 J K Lemma 22. Let A be a formula as defined in Definition 4,V then P = A if and only if P A e . J K J K| J K 2 Proof. By induction on A. J K Similarly to the Knaster-Tarksi fixpoint theorem, the least fixpoint lfp(F) of a finitely supported function F on the lattice of finitely supported subsets of a nominal set X can be computed by taking the intersection of all pre-fixpoints (i.e., finitely supported sets S such that F(S) S). (Note that the usual ✓ Tarski fixpoint theorem does not apply, since this lattice is not continuous in general.) Lemma 23. If X is a nominal set and F : P (X) P (X) is monotonic and finitely supported, then fs ! fs the least fixpoint of F is given by S P (X) F(S) S . 2 fs | ✓ Tn o Proof. Let A = S P (X) F(S) S . Note that X A, that A has finite support (bounded by 2 fs | ✓ 2 supp(F)), and that A contains all fixpoints of F. Let C = A; note that supp(C) supp(A) is finite and ✓ that C is a subset of any fixpoint of F. Since C S for all S A, we have F(C) S A F(S) S A S =C. ✓ 2T ✓ 2 ✓ 2 From F(C) C and monotonicity we get F(F(C)) F(C), so F(C) A and we get C F(C) by con- ✓ ✓ 2 T ✓ T struction. From F(C) C F(C) we get C = F(C), so C is indeed the least fixpoint of F. ✓ ✓

We thus only need to show that F(S)= A e[X S] is monotonic in order for the interpretation of the least ﬁxpoint formula µX.A to indeed denote the least7! ﬁxpoint.

Lemma 24. The function F(S)= A e[X S] JisK monotonic for a closed formula µX.A. 7!

Proof. Assume S T for ﬁnitely supported sets of states S and T. We need to show that A e[X S] ✓ J K 7! ✓ A e[X T]. We proceed by structural induction on A. 7! J K J K 1659 Modal Logics for Nominal Transition Systems

Case j: Since X does not occur in j, j e[X S] = j e j e = j e[X T]. 7! ✓ 7!

Case X0: If X = X0, then e[X S](X)=S T = e[X T](X) by assumption. Otherwise e(X)=e(X) 7! J K ✓ J K7! J K J K by reﬂexivity of . ✓

Case A: As induction hypothesis we have A e[X S] A e[X T]. We consider two cases. If X does not ¬ 7! ✓ 7! occur in A, then A e[X S] = A e and A e[X T] = A e , and by reﬂexivity of we are done ¬ 7! ¬ ¬ 7! ¬ ✓ in this case. Otherwise, the X occurs inJAKand is in scopeJ K of one , we know A e[X T] A e[X S], ¬ 7! ✓ 7! therefore A e[JX SK] = STATESJ KA e[X J S] K STATES J AKe[X T] = A e[X S]. ¬ 7! 7! ✓ 7! ¬ 7! J K J K Case a A: Since, from induction hypothesis, A e[X S] A e[X T], it is easy to see that a A e[X S] h i J K J K 7! ✓ J 7!K J K h i 7! contains at least the state of a A e[X T], that is, the former is the subset of latter. h i 7! J K J K J K Case i I Ai: By induction hypothesis, for every i I, Ai e[X S] Ai e[X S]. Thus, i I Ai e[X S] = 2 J K 2 7! ✓ 7! 2 7! i I Ai e[X S] i I Ai e[X T] = i I Ai e[X T]. V 2 7! ✓ 2 7! 2 7! V T T V J K J K J K Case µX0.A: In case X = X0 and by induction hypothesis A e[X S] A e[X T], µX0.A e[X S] = J K J K J K 7! ✓ 7! 7! S0 P (STATES) A e[X S][X S ] S0 µX0.A e[X T]. In case X0 = X, then µX0.A e[X S] = 2 fs | 7! 07! 0 ✓ ✓ 7! 6 7! µX .A and similarly for the set T, thus by reﬂexivity of we conclude the proof case. T 0 e J K✓ J K J K J K J K J K J K

The least fixpoint operator can be directly expressed in our logic of Section 3. The idea here is simple: we translate a fixpoint into an infinite disjunction that at each step i unrolls the recursion i times. This then semantically corresponds to a limit of an w-chain generated by a monotonic function, i.e., the least fixpoint.

expand (µX.A)= 0 ? expandi+1(µX.A)=A[expandi(µX.A)/X] µX.A = i w expandi(µX.A) 2 X = X i I Ai = i I Ai A = A j = j a A = a A 2 W2 ¬ ¬ h i h i V V Note that expandi is equivariant for all i. Thus, the disjunction in the ﬁxpoint case is well-formed and has support bounded by supp(A).

Theorem 25. For any formula A and valuation function e, A e = A e .

J K J K Proof. By structural induction over A.

Case µX.A We need to show that µX.A e = µX.A e . First, we compute the left-hand side to µX.A e = i w expandi(µX.A) e = i w expandi(µX.A) e Second, deﬁne F(S)= A e[X S], and using 2 2 i 7! this we approximate the ﬁxpointJ fromK belowJ withK i w F (/0 )= S P (STATES) AJ e[X SK] S = W S 2 2 fs | 7! ✓ µX.A . J e K J SK T J K We prove that the above expressions are equal by showing that the elements are equivalentJ K at every step,J thatK is, expand (µX.A) = Fi(/0 ) for every i w. The proof proceeds by induction on i. i e 2 J K Parrow, Borgstrom,¨ Eriksson, Gutkovas, Weber 1760

Base case: = /0 = F0(/0 ) by deﬁnition. Induction step: ? e expand (µX.A) = expand (µX.A) = J K i+1 e i+1 e = A[expandi(µX.A)/X] e = J K = JA[expandi(µX.A)/KX] e = = JA e[X expand (µX.A) ] K 7! i = JA e[X Fi(/0 )] K 7! J K (ByJ induction hypothesis)K = JAKe[X Fi(/0 )] 7! (By induction hypothesis A e = A e for any e) = JF(KFi(/0 )) i+ = F 1(/0 ) J K J K

Other cases are trivial.

Proofs from Section 5 Theorem 15 F/L F/L P Q P = Q ⇠ () Proof: Direction is a generalization of Theorem 7. ) 1. Base case: A = f j and f F. Then f (P) j. By static implication f (Q) j, which means h i 2 ` ` Q = A. | a 2. Inductive step f a A where A A F/L: Assume P = f a A. Then P . f (P) P and h ih i 2 | h ih i 9 0 ! 0 P0 = A. Without loss of generality we assume also bn(a)# f (Q), otherwise just find an alpha- | L(a,F)/L variant of the transition where this holds. Then by simulation Q . f (Q) a Q and P Q . 9 0 ! 0 0 ⇠ 0 By induction and P = A and A A F/L we get Q = A, whence by definition Q = f a A. 0 | 2 0 | | h ih i F/L The direction is a generalization of Theorem 10: we prove that = is an F/L-bisimulation. The ( modified clauses are: 1. Static implication. Assume f F, then f (P) j iff P = f j iff Q = f j iff f (Q) j. 2 ` | h i | h i ` F/L 2. Simulation. The proof is by contradiction. Assume that = does not satisfy the simulation re- F/L a quirement. Then there exist f F,P,Q,P0,a such that P = Q and f (P) P0 and, letting a 2 L(a,F)/L ! Q = Q f (Q) Q , for all Q Q it holds not P = Q . Choose bn(a)# f (P). Thus, { 0 | ! 0} 0 2 0 0 for all Q Q there exists a distinguishing formula in A L(a,F)/L for P and Q . The formula may 0 2 0 0 depend on Q , and by Lemma 16 we can find such a distinguishing formula B A L(a,F)/L for P 0 Q0 2 0 and Q with support in supp(P ,L(a,F)) supp(P,a,F). Therefore the formula 0 0 ✓

B = BQ0 Q Q ^02 L(a,F)/L is well formed in A with support included in supp(P0,a,F). We thus get that P = f a B F/L | h ih i but not Q = f a B, contradicting P = Q. | h ih i 1861 Modal Logics for Nominal Transition Systems

Lemma 16 If A A F/L is a distinguishing formula for P and Q, then there exists a distinguishing 2 formula B A F/L for P and Q in such that supp(B) supp(P,F). 2 ✓ Proof: by direct construction: in the terminology of Pitts [24] ch. 5, B is the conjunction of hullsupp(P,F)A. To spell out the proof: Assume A A F/L and P = A and not Q = A. Let S be the group of name per- 2 | | mutations of names outside supp(P,F) and let B be the S-orbit of A, i.e.

B = p A p S { · | 2 } Clearly p B = B for all p S, thus supp(B) supp(P,F), which means that the formula B = B 0 · 0 2 ✓ is well formed and supp(B) supp(P,F). By equivariance, if P = A and p S then also P = p A. ✓ | 2 | V· Therefore P = B. Furthermore, since the identity permutation is in S and not Q = A we get not Q = B. | | | Finally, since L is equivariant we have supp(A F/L) supp(F), which means that p A A F/L for all ✓ · 2 p S, this establishes B A F/L. 2 2 F/L Theorem 18 P Q in T if and only if EF(F,P) · EF(F,Q) in the L-transform of T. ⇠ ⇠ Proof: For the direction , assume that R is an L-bisimulation. Deﬁne R on the L-transform by ) 0 including (EF(F,P), EF(F,Q)) and (AC(F, f (P)), AC(F, f (Q))) for all P,Q, f ,F such that f F and 2 RF (P,Q). We now prove R0 to be a simulation. Assume R0(S,T). 1. Static implication: Assume S j. Then S = AC(F, f (P)) for some F, f F and P and f (P) j ` 2 ` holds in T, and T = AC(F, f (Q)) with R (P,Q). Thus f (Q) j whence T j. F ` ` a 2. Simulation: Assume S S0. There are two cases: f ! S = EF(F,P) AC(F, f (P)) = S0 and f F. Then T = EF(F,Q) where RF (P,Q). We get • f ! 2 T AC(F, f (Q)) = T 0 and R0(S0,T 0). Note here and below that bn( f )=/0. ! a a S = AC(F, f (P)) EF(L(a,F),P0)=S0 and f (P) P0, with bn(a)#AC(F, f (Q)). Then also • ! ! a bn(a)# f (Q). We get T = AC(F, f (Q)) where RF (P,Q), so also f (Q) Q0 with RL(a,F)(P0,Q0). a ! Thus T EF(L(a,F),Q )=T , and R (S ,T ) as required. ! 0 0 0 0 0 For the direction , assume that R0 is a bisimulation in the L-transform of T. Deﬁne R by R (P,Q) if ( F F R0(EF(F,P), EF(F,Q)). We prove R an L-bisimulation. Assume RF (P,Q). f 1. Static implication: Let f F and assume f (P) j. Then EF(F,P) AC(F, f (P)). Since R0 is a 2 f ` ! bisimulation we get EF(F,Q) AC(F, f (Q)). Now f (P) j means AC(F, f (P)) j, and again ! ` ` since R is a bisimulation AC(F, f (Q)) j, which means f (Q) j as required. 0 ` ` a 2. Simulation: Assume f F and f (P) P with bn(a)# f (Q). Without loss of generality addi- 2 ! 0 tionally assume the transition is represented by an alpha-variant such that bn(a)#F. We get the transitions f a EF(F,P) AC(F, f (P)) EF(L(a,F),P0) ! ! Since R0 is a bisimulation and bn(a)#F, f (Q) we get a simulating sequence

f a EF(F,Q) AC(F, f (Q)) EF(L(a,F),Q0) ! ! This means that f (Q) a Q with R (P ,Q ) as required. ! 0 L(a,F) 0 0 Recovering a Labelled Semantics for Soft CCP with Local Variables⇤

Fabio Gadducci Francesco Santini Dipartimento di Informatica, IIT-CNR, Universita` di Pisa, Italy Pisa, Italy [email protected] [email protected]

Extended Abstract. While the dynamics of a computational system is nowadays more often specified operationally by means of a reduction system (RS), a labelled semantics is needed in order to take advantage of the tools for checking observational properties and equivalences. The methodological advance of the seminal paper [7] is the recognition that labelled semantics should be derivable from reduction semantics in a uniform and systematic way. The proposal of [7] is to build a labelled transition system (LTS) from a RS by identifying labels as the minimal contexts needed to trigger a reduction. Unfortunately, this notion of minimality, called relative pushout, proved to be dicult to check and apply, also for most basic calculi such as CCS [4, 8]. A recent proposal [5] suggests to remove the requirement of minimality, in order to characterize a class of LTSs verifying weaker coherence properties, yet ensuring the adequacy of the observational equivalence. One of the testbed of the proposal has been Concurrent Constraint Programming (CCP) [9], a language based on a shared-memory communication pattern: processes interact by either posting or checking partial information, represented as constraints in a global store. CCP belongs to the larger family of process calculi, thus a syntax-driven operational semantics represents the computational steps. For example, the term tell(c) is the process that posts c in the store, and the term ask(c) P is the process that executes P if c can be derived from the ! information in the store. The formalism is parametric with respect to the entailment relation. Under the name of constraint system, the information recorded on the store is structured as a partial order (actually, a lattice) , where c d means that c can be derived from d. Under a few requirements over such   systems, CCP has been provided with (coincident) operational and denotational semantics. A key aspect of CCP is the idempotency of constraint composition: adding an information twice does not change the store. In the soft variant of the formalism (Soft CCP, SCCP [2]), constraint systems may distinguish the number of occurrences of a piece of information. Dropping idempotency requires a full reworking of the theory. Although an operational semantics for SCCP has been devised [2], neither the denotational nor the labelled one has been reintroduced. The work in [9] establishes a denotational semantics for CCP and an equational theory for infinite agents. More recently, in [1] the authors prove that the axiomatisation is underlying a specific weak bisimilarity among agents, thus providing a clear operational understanding. The key ingredients are a complete lattice as the domain of the store, with least upper bound for constraint combination, and a notion of compactness such that domain equations for the parallel composition of recursive agents are well-defined. The soft version [2] drops the upper bound for combination in exchange of a monoidal operator. Thus, the domain is just a (not

⇤Research partially supported by the MIUR PRIN 2010LHT4KM CINA and 2010XSEMLC “Security Horizons”.

c F. Gadducci & F. Santini Submitted to: This work is licensed under the MeMo 2015 Creative Commons Attribution License. 263 Recovering a Labelled Semantics for Soft CCP

A, B, with = 0 x 0 00 0 x 0 Hide 0h ⌦9 i!h1 i ÷ 9 A, B,0 with = 00 0 h9x i ! h9x ⌦9x 1i 1 ÷ 9x z ↵ A,0 0[ /x] B,” with 0 = x0,x < sv(↵),z < fv(A) sv() sv(0) h ⌦ i ↵![x/ h] i ÷ 9 [ [ L-Hide 0 z 1 x z A, B,0 ↵[ / ] with = ” (↵ 0[ / ]) h9x i !h9x ⌦ z ⌦9x 1i 1 ÷ ⌦ x

Table 1: Unlabelled and labelled version of the rule for the local hiding of variables. necessarily complete) partial order, possibly with finite meets and a residuation operator (a kind of inverse of the monoidal one) in order to account for algorithms concerning constraint propagation. Indeed, the main use of SCCP has been in the generalisation of classical constraint satisfaction problems, hence the lack of investigation about denotational semantics. In [6] we connected the works on the soft [2] and the classical (also indicated in the literature as “crisp”) [1, 9] paradigm by investigating a labelled (and an unlabelled) semantics for a deterministic fragment of SCCP. In particular, the result was a mix of those investigated in the two communities, namely, a monoid whose underlying set of elements form a complete lattice. Residuation theory provided an elegant way to define a weak inverse operator of tensor with ⌦ the purpose to determine the minimal information that enables the firing of actions in the LTS, thus distilling a suitable notion of labelled transition. The operational semantics chosen in [6] favoured a global view of variables, namely, the agent xA, roughly corresponding to an existential quantification over the variable x of the 9 y agent A, would evolve to the agent A[ /x], for y a fresh variable (with respect to the agent A and the store it is valued in). In this work we consider instead local variables, where the hiding operator carries some information on the variables it abstracts. More precisely, according to [3] we consider an extended operator , for the local store. Thanks again to the residuation 9x operator, the rule for the extended hidings can be defined as Hide in Tab. 1. The intuition is that variable x may be local to a component of the store , yet visible at a global level: we 9x 0 must then evaluate A in the store when the local x is hidden, yet the possible duplications are removed (e.g., may already occur in the global store ). The final store intuitively contains 9x 0 in 1 the original 0 increased by what has been added by the step. In the labelled version of the rule (L-Hide in Tab. 1) we rename the global x with a fresh variable z, instead of hiding x in the global store, as we do in the corresponding unlabelled rule. We accomplish this in order to keep track of the global x in ↵: finally, in the result we restore the occurrences of z back to x. The work is rounded up by a preliminary correspondence results between fair computations and bisimulation for soft CCP with local variables. References

[1] Andres´ Aristizabal,´ Filippo Bonchi, Catuscia Palamidessi, Luis Fernando Pino & Frank D. Valencia (2011): Deriving labels and bisimilarity for concurrent constraint programming. In Martin Hofmann, editor: FOSSACS 2011, LNCS 6604, Springer, pp. 138–152. [2] Stefano Bistarelli, Ugo Montanari & Francesca Rossi (2006): Soft concurrent constraint programming. ACM ToCL 7(3), pp. 563–589. [3] Frank S. de Boer, Maurizio Gabbrielli, Elena Marchiori & Catuscia Palamidessi (1997): Proving concurrent constraint programs correct. ACM ToPLaS 19(5), pp. 685–725. F. Gadducci & F. Santini 643

[4] Filippo Bonchi, Fabio Gadducci & Barbara Konig¨ (2009): Synthesising CCS bisimulation using graph rewriting. I& C 207(1), pp. 14–40. [5] Filippo Bonchi, Fabio Gadducci & Giacoma Valentina Monreale (2014): A general theory of barbs, contexts, and labels. ACM ToCL 15(4), pp. 35:1–35:27. [6] Fabio Gadducci, Luis Pino, Francesco Santini & Frank Valencia (2015): A labelled semantics for soft CCP. In T. Holvoet & M. Viroli, editors: COORDINATION, LNCS 9037, pp. 133–149. [7] James J. Leifer & Robin Milner (2000): Deriving bisimulation congruences for reactive systems. In Catuscia Palamidessi, editor: CONCUR 2000, LNCS, pp. 243–258. [8] Robin Milner (2006): Pure bigraphs: Structure and dynamics. I&C 204(1), pp. 60–122. [9] Vijay A. Saraswat, Martin C. Rinard & Prakash Panangaden (1991): Semantic foundations of concurrent constraint programming. In David S. Wise, editor: POPL 1991, ACM Press, pp. 333–352.